Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Europe Stories
06/10/2025
France T l visions, France's leading broadcaster, has received the 2025 EBU ...
04/09/2025
Monumental Sports & Entertainment (MSE), in collaboration with Dalet, has been a...
30/06/2025
Star Studded Ensemble Cast Are Joined by Richard Rankin as Filming Begins on the Second Season
[June 12, 2025 - Boston, MA]: The Forsytes, Debbie Horsfield�...
30/06/2025
Eurorack sequencer module reimagined
California-based modular synth innovators Qu-Bit have announced the launch of a new module that offers a fresh new take...
30/06/2025
Improved dynamic behaviour, improved audio quality & more
Techivation have announced the release of an upgraded edition of their very first premium plug-in,...
30/06/2025
The Focusrite Summer Sale is now on Don't miss unbeatable deals on Scarlett, Vocaster, and more.
Whether you're an artist, a producer, or a podcaste...
30/06/2025
All 8 episodes of Season 1 of 1923 will be available on RT Player from Tuesday ...
30/06/2025
Facebook
Twitter
LinkedIn
52% report AI security spending is displacing tr...
30/06/2025
Facebook
Twitter
LinkedIn
Cannes, June 30th, 2025 - Thales Alenia Space, t...
29/06/2025
Handpan-inspired instrument announced
Roland have announced the launch of the Mood Pan, a unique electronic hand percussion instrument that has been designe...
28/06/2025
Music theory plug-in updated
Three months on from the release of the latest version of their renowned music theory plug in, Scaler Music have launched an up...
27/06/2025
K-Pop remains one of the biggest genres globally, and many fans just can't get enough of it. That's why Spotify has launched a new series of K-Pop perf...
27/06/2025
In our latest blog post, Rafael Rivera highlights the rising threat of online scams, and the important role cybersecurity plays in protecting families across ge...
27/06/2025
From grounded realism to bending, impossible geometries
Klevgrand have announced the release of a new algorithmic reverb plug-in which they say deconstruct...
27/06/2025
Learn to use REW for room analysis
Acoustic treatment is one of the most important factors in any studio, and with the extensive range of products available...
27/06/2025
Second edition of parallel clipper plug-in announced
Soundtheory have announced the launch of Kraftur Focus, a new edition of their parallel clipper plug-in...
27/06/2025
Facebook
Twitter
LinkedIn
Thales, a global high-tech leader, and Kongsberg...
27/06/2025
Friday 27 June 2025
Combination of RTL Deutschland and Sky Deutschland (Germany, Austria, Switzerland) to create a unique proposition in entertainment, sports ...
26/06/2025
Bilbao Linz, June 26th 2025 - AgileTV, a European leader in TV and video technology solutions, has signed an agreement this week with the Austrian telco LIWES...
26/06/2025
aconnic AG (ISIN: DE000A0LBKW6), Munich, has resolved, based on the decisions ma...
26/06/2025
Three new entry-level models introduced
Catering to everything from casual listening to professional content creation, KRK's new Kreate Series monitors ...
26/06/2025
Registration closes on 8 July 2025
The deadline for entires into the fifth annual MIDI Innovation Awards is now just two weeks away. Product submissions are...
26/06/2025
Entire plug-in range updated
Waves have announced the launch of Waves V16, the latest version of their extensive plug-ins collection. Along with compatibili...
26/06/2025
Facebook
Twitter
LinkedIn
Madrid, June 26, 2025 - The European Space Agenc...
26/06/2025
UKTV and Talented People are delighted to announce the renewal of their successf...
26/06/2025
THE EXTRAORDINARY GENERAL MEETING OF MAGYAR TELEKOM DECIDES ON THE SEPARATION OF...
26/06/2025
Keeper Pictures, the Dublin-based scripted production company whose credits include The Gone and Striking Out, has optioned the exclusive TV adaptation rights t...
26/06/2025
This July, RT presents The Phone Box Babies, a documentary revealing new insigh...
25/06/2025
Last week, content creators from all over the world flocked to Anaheim for VidCon 2025, one of the largest creator conferences in the U.S. As an official sponso...
25/06/2025
eds3_5_jq(document).ready(function($) { $(#eds_sliderM519).chameleonSlider_2_1({ content_source:......
25/06/2025
Sales proceeds from 25 - 26 June 2025 donated to Lambda Legal
Soundtoys have announced that 100% of all sales made on 25 and 26 June 2025 will be donated to...
25/06/2025
No Apollo or UAD hardware required
Universal Audio have announced that their software recreation of Dolby's renowned multiband enhancer - which was laun...
25/06/2025
Recreates AKGs sought-after C24
Warm Audio have announced the launch of a new stereo valve microphone that offers a modern take on AKG's sought-after C2...
25/06/2025
Save up to 50% on Kontakt instruments
Emergence Audio have announced that their Infinite Summer Sale promotion is now live, with savings of up to 50% applie...
25/06/2025
Rohde & Schwarz selected by Collins Aerospace to upgrade oceanic communications ...
25/06/2025
Arqiva will engage with fellow members to explore the latest developments in sensor innovation, environmental monitoring and data analytics
Arqiva is proud to ...
25/06/2025
Continuing its commitment to creating technology that enriches users' lives while helping them stay safe online and protect their privacy, Apple today share...
25/06/2025
Apple Sports - the free app for iPhone that gives sports fans access to real-time scores, stats, and more, delivered with speed and simplicity - today added ten...
25/06/2025
RT has confirmed its Monday night television series, Upfront with Katie Hannon has come to an end and will not be returning in September following three season...
24/06/2025
Have you got what it takes to be Thomson's Young Journalist of the Year 2025? If youre a journalist aged 30 or under, this is your moment. Entries are now o...
24/06/2025
Last week, Spotify returned to the Croisette for our 11th year at the Cannes Lio...
24/06/2025
SGL Carbon is expanding its product portfolio with a new battery felt for redox flow batteries. The innovative electrode material, marketed under the name SIGRA...
24/06/2025
Argo M and ImPulseV took the audio lead, powering the live audio for the
AWS Cloud Sports Production and Esports Racing Challenge at NAB...
24/06/2025
Offers complete recall of all processing, routing, gain and pan settings
SSL have announced the launch of the Oracle, a fully analogue in-line mixing consol...
24/06/2025
The new gold standard for compact column PA
Developed with DJs, musicians, event managers and business users in mind, the latest iteration of HK Audio'...
24/06/2025
Aims to simplify FM synthesis
The last few releases from GForce have centred around their official partnership with Oberheim, offering authentic emulations ...
24/06/2025
Your End-To-End Music Production Suite
Discover SOS FOR ARTISTS: A Complete Platform for Modern Music Creators Designed to support independent artists, prod...
24/06/2025
Features 188 new sound sources
Sound-design specialists The Very Loud Indeed Co. have announced the launch of their latest expansion for Spectrasonics Omnis...
24/06/2025
Facebook
Twitter
LinkedIn
New capability gives instant visibility to detec...
24/06/2025
Facebook
Twitter
LinkedIn
First unified, single-pane-of-glass platform to ...
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
