Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Europe Stories
05/01/2027
Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be ...
04/08/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
04/07/2026
April 7 2026, 19:00 (PDT) Detective Conan: Fallen Angel of the Highway Opens in...
01/06/2026
January 6 2026, 05:30 (PST) Dolby Sets the New Standard for Premium Entertainment at CES 2026
Throughout the week, Dolby brings to life the latest innovatio...
14/05/2026
At Spotify, we're focused on making every listening experience feel intentio...
14/05/2026
Spotify recently welcomed songwriters, artists, executives, and music students t...
14/05/2026
New articulations, ostinatos, Motion Scoring Articulation Sets & more
Sonuscore's flagship cinematic string library has just been treated to a significa...
14/05/2026
World-class studio opens on T rkiye's Aegean coast
P r Recording & Residence have announced their official opening, introducing a new world-class reside...
14/05/2026
Now supports channel layouts up to 9.1.6
Nugen Audio have just released an update for their AI-powered dialogue intelligibility and compliance tool. Set to ...
14/05/2026
New recordings & one-key chord tool
UVI have just announced the release of Orchestral Suite 2, a ground-up redesign of their all-in-one symphonic orchestra ...
14/05/2026
Two new arrivals & expanded factory content
Rob Papen's all-encompassing plug-in and virtual instrument collection has just been treated to another upda...
14/05/2026
Embed QR codes into DAW sessions
FSK Audio's latest plug-in doesn't process audio, but serves as an organisational tool that allows QR codes to be e...
14/05/2026
Rohde & Schwarz transforms spectrum complexity into situational awareness and ef...
14/05/2026
Rohde & Schwarz and Quantum Systems join forces to redefine EW and C-UAS-enabled...
14/05/2026
Rohde & Schwarz showcases STANAG aligned ARDRONIS Counter UAS capability at NATO...
14/05/2026
Code of Silence has won the BAFTA for Best Drama Series at Sunday night's ceremony at the Royal Festival Hall.
The series, starring Rose Ayling-Ellis and w...
14/05/2026
Vivid Broadcast was embracing remote production long before it became the industry norm. Now, with Calrec's True Control 2.0-enabled Argo M and Type R conso...
14/05/2026
What can I watch on UKTV and stream on U this week?
This week on UKTV and the free streaming service U, viewers can watch a range of new and returning programm...
14/05/2026
The high-stakes chase thriller from Oscar- and BAFTA-nominated writer Matt Charm...
14/05/2026
Back From The Brink airs Sunday 17 May and Sunday 24 May at 6.30pm on RT One an...
13/05/2026
13 May 2026
VEON Delivers Strong Start to 2026 1Q26: Revenue 17.0%, EBITDA 17...
13/05/2026
Thousands of props donated from Skys longest-running original seriesWednesday 13 May 2026
How a neon windmill from A League of Their Own ended up in a dogs'...
13/05/2026
SAN JOSE, Calif. - May 13, 2026 - Harmonic (NASDAQ: HLIT) today announced that I...
13/05/2026
A definitive portrait of one of Ireland's most influential musicians
New TV documentary airs Monday 18 May on RT One and RT Player at 9.35pm
Watch the...
12/05/2026
Spotify is where fans and artists come together, turning discovery into somethin...
12/05/2026
Features patented Marco-MMC clocking technology
Black Lion Audio's latest release combines the company's expertise in clocking with their renowned p...
12/05/2026
New Track Panel, sequencer upgrades & more
Following their recent public beta release, Reason Studios have announced the full release of Reason 14. With the...
12/05/2026
Rohde & Schwarz presents its advanced solutions for power electronics testing at...
12/05/2026
aconnic AG (ISIN: DE000A0LBKW6), Munich, has developed a modified fund raising p...
12/05/2026
FOX Announces Schedule for 2026-27 Season FOX'S POWERFUL NEW SERIES PIPELINE FUELS A BREAKOUT SEASON WITH RETURNING HITS AND BOLD NEW STORYTELLING ACROSS ...
12/05/2026
Customer demand for data continues to grow in the first quarter of 2026 at Magya...
12/05/2026
The latest drama underscores Sky's continued investment in regional production and Welsh creative talent.Tuesday 12 May 2026
Wales takes the spotlight in S...
11/05/2026
As Eurovision fans gear up to celebrate the 70th anniversary of the iconic song ...
11/05/2026
Pela primeira vez na hist ria, o Brasil figura entre os oito maiores mercados de...
11/05/2026
New desktop instrument focused on tactile performance
Bastl Instruments have announced the Kalimba, a new desktop instrument that combines physical modellin...
11/05/2026
Compact sampling workstation gains new features
1010music have announced the blackbox 2, a new version of their compact standalone sampler designed for DAWl...
11/05/2026
Performance-focused sequencer with microtonal control
Berlin-based KOMA Elektronik have announced Monoplex, a new 42HP Eurorack sequencer designed for hands...
11/05/2026
Boasts wireless control from mobile devices
The latest iteration of IK Multimedia's compact amp and effects modelling pedal expands on the capabilities ...
11/05/2026
Spans traditional orchestral and experimental sounds
Sonora Cinematic have recently released the third instalment in their Transfigured Orchestra series, de...
11/05/2026
Our exhibition coverage
Watch all our SUPERBOOTH 2026 video coverage in one place. Check back to this page regularly as we will be updating with more video ...
11/05/2026
aconnic AG (ISIN: DE000A0LBKW6), Munich, is participating in the Equity Forum Ge...
11/05/2026
Bounteous Acquires Cartesian to Accelerate Enterprise AI
May 11, 2026
Business Assurance
News
Acquisition enhances deep data and analytics capabil...
11/05/2026
11 May 2026
VEON Shareholders Re-elect Board and Chairman, Reaffirming Confiden...
11/05/2026
Fox Corporation Reports Third Quarter Fiscal 2026 Financial Results NEW YORK, NY, May 11, 2026 - Fox Corporation (Nasdaq: FOXA, FOX; FOX or the Company ) t...
11/05/2026
Arvato Systems Becomes a Member of InsurLab Germany
Collaboration in the insurance industrys leading innovation network
G tersloh - Arvato Systems has joine...
11/05/2026
Pirate Predator uncovers new information from victims and survivors of abuse on ...
10/05/2026
RT ALL-IRELAND DRAMA FESTIVAL WINNERS ANNOUNCED DURING GALA AWARDS STREAMED LIVE ON RTE.IE/CULTURE
Kilmeen Drama Group hailing from Rossmore, Co. Cork Scoops ...
09/05/2026
New desktop instrument focused on tactile performance
Bastl Instruments have announced Kalimba, a new desktop instrument that combines physical modelling, F...
09/05/2026
Compact sampling workstation gains new features
1010music have announced blackbox 2, a new version of their compact standalone sampler designed for DAWless ...
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
