Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Europe Stories
05/01/2027
Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be ...
04/08/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
04/07/2026
April 7 2026, 19:00 (PDT) Detective Conan: Fallen Angel of the Highway Opens in...
01/06/2026
January 6 2026, 05:30 (PST) Dolby Sets the New Standard for Premium Entertainment at CES 2026
Throughout the week, Dolby brings to life the latest innovatio...
02/05/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
01/05/2026
January 5 2026, 18:30 (PST) NBCUniversal's Peacock to Be First Streamer to ...
30/04/2026
Music is evolving, and so are the ways you discover and connect with artists. In...
30/04/2026
Between April 22-29, the first inaugural Stockholm Music Week brought together thought leaders and partners across industries including music, tech, government,...
30/04/2026
Iconic large-format console upgraded
API's iconic Vision console has just been treated to an overhaul that aims to meet the demands of today's profe...
30/04/2026
Comes complete with miking accessories
The LCT 440 Pure has proven to be a popular member of Lewitt's mic line-up, offering impressive technical perform...
30/04/2026
24 October 2026 at The Octagon, Sheffield
Now in its eighth year, SynthFest UK is the largest event of its kind in the UK, bringing together the top keyboar...
30/04/2026
Rohde & Schwarz equips new Terminal 3 at Frankfurt Airport with security scanner...
30/04/2026
Rohde & Schwarz expands broadband amplifier portfolio with new power classes up ...
30/04/2026
Jennifer Ehle (Contagion, Zero Dark Thirty) and Alex Hassell (Rivals, Wasteman, ...
30/04/2026
Behind the Broadcast: The Sound of Elite Golf Golf is gaining popularity; the 2025 Ryder Cup achieved record-breaking viewing figures in the UK specifically, wi...
30/04/2026
Com a evolu o de novos standards de broadcast em todo o mundo e o OTT streaming buscando a posi o de lideran a no consumo de m dia, tanto os codecs de v deo q...
30/04/2026
All-New AI-Powered Network Intelligence Solution, Resilient Remote OLTs and Back-Office Integration Platform Power Smarter, More Efficient Fiber Networks SAN JO...
30/04/2026
Two worlds, one show The tour unfolds in two distinct halves. The first is a sol...
30/04/2026
Rian na Fola airs on RT One and RT Player on Monday May 4
Rian na Fola is a o...
29/04/2026
Combines EQ and harmonic distortion
Techivation's latest release is a simple EQ designed to offer quick control over a source's overall tonal balanc...
29/04/2026
Two new MPE controllers announced
Expressive E caused quite a stir when they released the Osmose, making the sort of expression that was once reserved for p...
29/04/2026
New modules & enhanced machine-learning
The latest version of iZotope's flagship restoration suite is now available, and now offers over 50 tools design...
29/04/2026
Voting opens at 4pm today
RT 's Today show have announced the eight finalists for their TV Home Cook competition. Amateur cooks from Cork, Dublin, Galway ...
29/04/2026
29 Apr 2026
VEON and Kyivstar Fulfill Commitment to Invest USD 1 Billion in Ukr...
29/04/2026
Rhod Gilbert, Harriet Kemsley, Kae Kurd, Sara Pascoe and Vicki Pattison to take part in brand new series on free streaming service U
Free streaming service U i...
29/04/2026
Wednesday 29 April 2026
Katie Price: Nothing to Hide, a Sky Original documentar...
29/04/2026
Re-examining the case of Ellie Williams and the wider story of grooming in the town of BarrowWednesday 29 April 2026
Sky announces upcoming documentary series ...
29/04/2026
Wednesday 29 April 2026
Jennifer Garner to lead an all-star cast in new Sky Exc...
29/04/2026
Students and staff from Hills Road Sixth Form College in Cambridge ran a 4.5km course around the roads of Cambridge as part of their annual programme of sustain...
29/04/2026
The Dawn Chorus airs Sunday 3 May from midnight to 7am on RT Radio 1 and RT ly...
28/04/2026
Today, we announced our First Quarter 2026 earnings, starting the Year of Raising Ambition with strong momentum across the business and continued innovation acr...
28/04/2026
I dag presenterade vi v rt resultat f r det f rsta kvartalet 2026. Vi inleder ret med starkt momentum i hela verksamheten och fortsatt innovation p plattforme...
28/04/2026
New handheld promises studio performance for the stage
Mojave have just introduced a new live-focused handheld vocal mic created by award-winning designer D...
28/04/2026
Max for Live device offers AI-powered stem separation
Dynamic Split Module (DSM) is a new Max for Live device created by Ostin Solo, a developer and musican...
28/04/2026
First interface equipped with ISA preamps
Focusrite have just announced the launch of a new high-end audio interface that features a pair of their legendary...
28/04/2026
In 2023, Norwegian climber Kristin Harila set out to break a mountaineering reco...
28/04/2026
RT News is pleased to announce the appointment of Sean Whelan as its new London Correspondent.
Sean has held the role of Washington Correspondent for the last...
28/04/2026
Joseph O'Connor, Eileen Walsh, Louise Duffy, Mick Lynch, Gormfhlaith N Thuairisg and Dermot Bannon take a personal look at life 100yrs ago in new TV docume...
27/04/2026
N r Spotify grundades f r 20 r sedan dominerades musikmarknaden av illegal nedladdning. Sedan dess har streaming bidragit till att teruppr tta betalningsvilja...
27/04/2026
Time on Spotify should feel meaningful and intentional, not something that slips...
27/04/2026
New modular multi-effects plug-in revealed
The latest plug-in from Brainworx delivers a modular set of effects designed to offer a convenient alternative to...
27/04/2026
Kit includes supercardioid & shotgun capsules
High-end mic manufacturer Schoeps have recently introduced another member of their Desert Island Set family. O...
27/04/2026
LA2A-inspired 500-series module arrives
Sound Skulptor have announced the upcoming launch of a new 500-series module that aims to recreate one of the most p...
27/04/2026
SSL-inspired compressor unit upgraded
Stam Audio are well known for their painstaking recreations of vintage audio gear, with their extensive product range ...
27/04/2026
Red Seat Ventures Announces Exclusive Multiyear Partnership with Kill Tony The Company is the New Monetization and Distribution Home for the Globally Popula...
27/04/2026
RT 2FM is calling on aspiring DJs across Ireland to take their shot at the spot...
27/04/2026
RT continues to champion Ireland's creative life this May, supporting a broad range of festivals, exhibitions and performances across music, theatre, liter...
25/04/2026
In the heart of Mexico City, music, culture, and fashion converged last night as Spotify and Vogue Latin America welcomed guests to an intimate gathering at Soh...
25/04/2026
New modular multi-effects plug-in revealed
The latest plug-in from Brainworx delivers a modular set of effects designed to offer a convenient alternative to...
24/04/2026
Earth Day is a chance to reflect on our connection to the natural world. To mark the 57th Earth Day on April 22, Spotify's editors have pulled together a co...
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
