Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Europe Stories
05/01/2027
Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be ...
01/06/2026
January 6 2026, 05:30 (PST) Dolby Sets the New Standard for Premium Entertainment at CES 2026
Throughout the week, Dolby brings to life the latest innovatio...
02/05/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
01/05/2026
January 5 2026, 18:30 (PST) NBCUniversal's Peacock to Be First Streamer to ...
01/04/2026
January 4 2026, 18:00 (PST) DOLBY AND DOUYIN EMPOWER THE NEXT GENERATON OF CREATORS WITH DOLBY VISION
Douyin Users Can Now Create And Share Videos With Stun...
13/02/2026
This Wednesday in Los Angeles, Spotify brought together a group of podcast creat...
13/02/2026
Yesterday, Spotify and LoveShackFancy hosted a Galentine's and Gents Lunch a...
13/02/2026
What can I watch on UKTV this week?What can I stream on U this week?
This guide highlights romantic dramas for Valentine's Day, alternative relationship t...
13/02/2026
New RT series tells stranger-than-fiction stories of Irish con artists
Swindlers airs Wednesday 18 February, 9.35pm on RT One and RT Player
Swindlers, a...
12/02/2026
Valentine's Day often comes with a soundtrack. In fact, Spotify data shows that more people used Blend, our shared playlist feature, on February 14, 2025, t...
12/02/2026
Some days you want your music to reflect a specific feeling, memory, or vibe that goes beyond a single artist or genre. You want to do more than listen. You wan...
12/02/2026
The six-part crime drama, created by Claire Oakley and produced by Little Door P...
12/02/2026
Wuppertal February 12, 2026
Riedel Opens Kuala Lumpur Office to Strengthen Glo...
12/02/2026
The Digital Product Passport: A New Era of Transparency and Sustainability
Arvato Systems supports companies in getting started with the digital product passp...
11/02/2026
Video moves fast can your DAM keep up?
Join Blue Lucy in LA for the West Coast's leading Digital Asset Management event as we explore, celebrate, and acc...
11/02/2026
Wednesday 11 February 2026
Sky brings together Netflix, Disney , HBO Max and Ha...
11/02/2026
At the end of January, ICG headed off to the Portuguese capital, Lisbon, for our annual conference.
An early flight gave us plenty of time to start exploring s...
11/02/2026
The intergalactic children's show starring Adam King will premiere on 14 February on RT 2, RT KIDSjr and RT Player
The Late Late Toy Show star Adam King...
10/02/2026
With a new film adaptation of Wuthering Heights arriving just in time for Valent...
10/02/2026
Today, we announced our fourth quarter 2025 earnings, marking a strong finish to the year with exceptional user growth and continued momentum across the busines...
10/02/2026
I dag redovisar vi v rt resultat f r fj rde kvartalet 2025, vilket markerar ett starkt avslut p ret med robust anv ndartillv xt och fortsatt momentum i hela v...
10/02/2026
eds3_5_jq(document).ready(function($) { $(#eds_sliderM519).chameleonSlider_2_1({ content_source:......
10/02/2026
10 Feb 2026
VEON's Kyivstar Expands Digital Healthcare Services in Ukraine ...
10/02/2026
The new TV campaign is set to air on Sky from 10th February - 6th April inviting...
10/02/2026
Red Seat Ventures Acquires Leading Podcast Subscription Platform Supercast Los Angeles, CA, February 10, 2026 - Red Seat Ventures, a division of Fox Corporati...
10/02/2026
Arvato Systems celebrates a decade of innovation and customer success in the dig...
09/02/2026
Book a meeting or demonstration at ISE 2026! Please enter the following details. (Tick the relevant box for a meeting or demo):
--
Meeting / Demo*
Meeting...
09/02/2026
From Green Day using 2028s, Charlie Puth's rendition of The Star-Spangled Banner with a d:facto (as well as 4099s on many of the instruments) and Bad Bunny...
09/02/2026
RT Investigates rapid rise in waiting list for the Central Mental Hospital
am...
08/02/2026
08 Feb 2026
VEON and JazzWorld Launch Invest in Pakistan, NOW! Inviting Inter...
06/02/2026
Music fans know the feeling: A song stops you in your tracks, and you immediately want to know more. What inspired it, and what's the meaning behind it? We ...
06/02/2026
Calrec Wins Best of Show at ISE 2026 for Orchestrating Distributed IP Production
Calrec is delighted to announce that its IP Ecosystem Powered by True Control...
06/02/2026
What can I watch on TV in the UK this week? What can I watch on U&GOLD? What can I stream on U this week?
This week on UKTV, viewers can watch a range of new a...
06/02/2026
The Winter Olympics 2026 in Milano Cortina officially get underway this evening (Friday 6 February) with the Opening Ceremony live on RT Player and RT News ch...
05/02/2026
Since bringing audiobooks to Spotify in 2022, we've helped listeners discove...
05/02/2026
Today, Spotify announced two new updates to give book lovers a more personalized...
05/02/2026
AI should balance automation (replacing tasks) and augmentation (empowering humans). Automate the mundane and augment the creative by applying the right AI type...
05/02/2026
BBC Studios and UKTV have appointed Karin Marelle to lead their Global Acquisitions team, overseeing the sourcing of content across BBC Studios' global chan...
05/02/2026
Thursday 5 February 2026
The Miniature Wife, A Sky Exclusive comedy drama starr...
05/02/2026
Thursday 5 February 2026
Trailer Revealed for Sky Original Film FUZE starring A...
05/02/2026
Rohde & Schwarz at MWC Barcelona 2026: Enabling connections, empowering innovati...
04/02/2026
Lyrics are one of Spotify's most popular features, giving fans a richer way to experience the music and artists they love. They're viewed hundreds of mi...
04/02/2026
Wednesday 4 February 2026
Full cast announced for Saturday Night Live UK, comin...
04/02/2026
Wednesday 4 February 2026
Fear of running out of mobile data (FORO) is a real i...
04/02/2026
Rohde & Schwarz powers next generation television in Brazil with DTV technology...
04/02/2026
Fox Corporation Reports Second Quarter Fiscal 2026 Financial Results NEW YORK, NY, February 4, 2026 - Fox Corporation (Nasdaq: FOXA, FOX; FOX or the Compan...
04/02/2026
Lucas P. Arag n Joins FOX Advertising as Senior Vice President, Creative New York, NY - February 4, 2026 - Accomplished Creative Executive Lucas P. Arag n has...
04/02/2026
Following the passing of our friend and colleague Hugh Wallace, and with the full support of his family, RT will proceed with the broadcast of the new series o...
03/02/2026
Spotify's annual Best New Artist celebration returned to Los Angeles last ni...
03/02/2026
FoMa Antares: Redefining Camera Stabilization for Modern ProductionsIn high-end broadcast and cinematic environments, precision, reliability, and flexibility ar...
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
