Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Europe Stories
09/11/2025
Dalet today announced a transformative leap forward for media operations: Agentic Artificial Intelligence (AI) that unifies the Dalet ecosystem under one natura...
01/11/2025
aconnic AG (ISIN: DE000A0LBKW6), Munich, has published the Financial Report for ...
31/10/2025
The review highlights DPA 4055 Kick Drum Microphone for its compact design, ease of placement, and authentic tone that captures the true character of the drum p...
31/10/2025
The RT Raidi na Gaeltachta Award 2025 will be presented to journalist P il n N Chiar in at the Oireachtas na Samhna in Belfast tomorrow, Saturday 1 November,...
31/10/2025
RT lyric fm is calling for choirs across Ireland to share their festive music-m...
31/10/2025
Three awards were presented to RT Raidi na Gaeltachta broadcasters at the Oire...
31/10/2025
RT continues its proud tradition of championing Ireland's vibrant arts and cultural landscape through its RT Supporting the Arts initiative. This November...
31/10/2025
RT selects Irish independent production company to produce Christian Worship on...
30/10/2025
The SGL Carbon site in Bonn has a long tradition of training. For many years, young talent has been successfully trained here, regularly achieving excellent exa...
30/10/2025
TIS THE SEASON TO GET PUNNY!
U&GOLD LAUNCHES ITS ANNUAL SEARCH FOR THE UK'S...
30/10/2025
Rohde & Schwarz enables MediaTeks 6G waveform verification with CMP180 radio com...
30/10/2025
Fox Corporation Reports First Quarter Fiscal 2026 Financial Results NEW YORK, NY, October 30, 2025 - Fox Corporation (Nasdaq: FOXA, FOX; FOX or the Company...
30/10/2025
Tubi Media Group and Audiochuck Announce Exclusive Partnership Tubi Media Group Enters into a Multi-Year Ad Partnership Deal with Ashley Flowers' Award-Wi...
30/10/2025
Comscore Appoints a new Country Manager for APACNEW DELHI, INDIA, October 30, 2025 Comscore (Nasdaq: SCOR), a global leader in measuring and analysing consum...
30/10/2025
RT Concert Orchestra in November and December
Collaborations with RT Radio 1's Sunday Miscellany (2 December) and RT 2FM's Late Breakfast (9 Decembe...
30/10/2025
Johnny B and Johnny Smacks are back tonight for the second episode of the new se...
30/10/2025
First look of Jon Bon Jovi's interview with Patrick Kielty
Jon Bon Jovi is ...
29/10/2025
eds3_5_jq(document).ready(function($) { $(#eds_sliderM519).chameleonSlider_2_1({...
29/10/2025
NAB New York 2025 Preview | October 22-23 | Booth 544 | Javits Center, New York We're looking forward to meeting up with customers and partners at NAB New Y...
29/10/2025
October 29 2025, 17:00 (PDT) Hyundai Motor Group Brings Dolby Atmos to Elexio, ...
29/10/2025
Wuppertal October 29, 2025
Riedel Communications Appoints Ulrich Voigt as Dire...
29/10/2025
Comscore's 2025 State of Streaming Report Reveals Surging Growth of Both Ad-...
29/10/2025
RT PUBLISHES 2024 ANNUAL REPORT
RT REPORTS NET SURPLUS OF 5.5 MILLION IN 2024
A YEAR WITH MANY SPECIAL EVENTS UEFA EUROS 2024, THE OLYMPICS AND PARALYMP...
28/10/2025
For three weeks in Lagos, Spotify's Greasy Tunes Caf pop-up brought the cit...
28/10/2025
Once a niche subculture, German rap has evolved into an influential cultural movement. Now, Spotify is giving the genre a new home with OFFCULT, a playlist dedi...
28/10/2025
Bilbao, October 28, 2025 - AgileTV, a leading technology solutions company for t...
28/10/2025
28 Oct 2025
VEON's JazzCash Wins Silver Award for Innovation in Lending at ...
28/10/2025
Guests include Wayne Rooney, Maya Jama, Dame Laura Kenny, Chloe Kelly, Chris McC...
28/10/2025
The two-hour special, recorded live from the iconic Dolby Theatre in LA, will ai...
28/10/2025
Eutelsat upgrades teleports with Rohde & Schwarz satellite uplink amplifiers High efficiency and resilient Ku-band amplifiers for excellent RF performance
...
28/10/2025
These appointments come at a pivotal time for ABC, as the organisation continues to evolve to meet the changing needs of a digital-first media ecosystem. The ne...
27/10/2025
As the days grow shorter and the nights get darker, there's nothing like getting swept up in a story that sends shivers down your spine. In honor of spooky ...
27/10/2025
Monday 27 October 2025
Sky Business is excited to announce the launch of Sky Bu...
27/10/2025
Monday 27 October 2025
Sky Sports and Baller League UK have extended their partnership into a second season of the six-a-side competition, ensuring Sky Sports ...
24/10/2025
As global connectivity demands continue to grow, non-terrestrial networks (NTNs) are emerging as a transformative force in telecommunications. By extending cove...
24/10/2025
FIRST PLACE AND 5,000 LYNDA McCARTHY FOR WITNESS'
SECOND PLACE AND 4,000 ANGELA FINN FOR A SPECTRUM OF SORROW'
THIRD PLACE AND 3,000 IAN FE...
24/10/2025
24 Oct 2025
VEON to Release 3Q25 Earnings Update on November 10, 2025 Dubai, October 24, 2025 - VEON Ltd. (NASDAQ: VEON), a global digital operator, today conf...
24/10/2025
One-off special from the team behind BAFTA award-winning Libby, Are You Home Yet...
24/10/2025
The review examined how the model is developed, managed, and delivered against the requirements set out in the Origin framework.
Simon Redlich, Chief Executive...
24/10/2025
RT will provide extensive coverage of the results of the Presidential Election across television, radio and online on Saturday, 25 October 2025.
Throughout th...
24/10/2025
New Coaches, New Families and New Challenges Set for Ireland's Fittest Famil...
24/10/2025
Westlife, Imelda May and Ben Elton among the guests on this week's Late Late...
23/10/2025
The 90-minute film is produced by Rogan Scotland, part of BAFTA-winning Rogan Pr...
23/10/2025
Retail Media...
23/10/2025
RT is today publishing a statistical summary from the Register of External Activities for the second quarter of 2025.
The RT Register of External Activities ...
23/10/2025
Series three of the award winning, hit comedy entertainment series The 2 Johnnies Late Night Lock In is back on your screens, celebrating the very best of all t...
23/10/2025
Performances by Michael Flatley, Andy Irvine, Cuckoo's Nest, Foster and Allen and more
Friday 24 October, 8pm on RT One and RT Player
Fleadh Cheoil re...
22/10/2025
In 1995, a young Colombian artist released an album that would change Latin pop ...
22/10/2025
Over the past few months, a photovoltaic system has been installed on a three-he...
22/10/2025
Rohde & Schwarz and TRUMPF combine technological expertise for drone defense Rohde & Schwarz and TRUMPF have agreed on a strategic partnership to develop and ...
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
