
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Europe Stories
05/01/2027
Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be ...
06/09/2026
June 9 2026, 23:00 (PDT) Dolby and MagentaTV Bring Fans Closer to the FIFA Worl...
04/08/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
07/07/2026
Applications are now open for the Validation Booster, a six-month acceleration programme supporting journalists, media organisations, content creators, media in...
07/07/2026
New mixer aimed squarely at instrument-level sources
Heritage Audio have clearly been busy recently, as alongside their all-new Tubestrip, they've also ...
07/07/2026
New channel strip combines popular hardware designs
The latest arrival to the Heritage Audio line-up brings together a selection of their praised hardware d...
07/07/2026
eds3_5_jq(document).ready(function($) { $(#eds_sliderM519).chameleonSlider_2_1({ content_source:......
07/07/2026
UKTV commission with BritBox and Sony Pictures Television and inspired by Deborah Cadbury's book, Chocolate Wars
The six-part series is produced by Fable P...
07/07/2026
Tuesday 7 July 2026
Record audiences tune into the ICC Women's T20 World Cup 2026 on Sky Sports
The ICC Women's T20 World Cup 2026 was the most watche...
07/07/2026
Tuesday 7 July 2026
Official trailer released for Fightland, a revenge drama fr...
07/07/2026
Wuppertal July 7, 2026
Riedel and ARRI Bring Cinematic Live Production to the Eurovision Song ContestRiedel Communications and ARRI played a key role in one o...
07/07/2026
To Whom It Concerns RT today confirmed that Patrick Kielty is to extend his contract as host of The Late Late Show.
Last season, the world's longest-runn...
06/07/2026
Bundle gains 100 new synths & more
Synth Anthology 5 the largest and most feature-packed edition of UVI's hardware synth emulation bundle, bringing toge...
06/07/2026
Available now via free firmware update
MOTU have just announced that three of their popular audio interfaces now boast official Milan Certification. The 16A...
06/07/2026
Rohde & Schwarz completes Hunter Preliminary Design Review for the Integrated Co...
06/07/2026
The R&S IMAGER from Rohde & Schwarz uses millimeter wave imaging to inspect the ...
06/07/2026
Monday 6 July 2026
Sky Kids unveils new slate for 2026 including Paris Hilton...
06/07/2026
Monday 6 July 2026
Sky agrees to acquire ITV Media & Entertainment, creating a ...
06/07/2026
Fresh from his World Cup heroics with Cabo Verde, Roberto Pico' Lopes will join the RT panel for Argentina v Egypt tomorrow and for the England v Norway q...
06/07/2026
A death can be unsuspicious, but it has to be explained
What happened to Ke...
05/07/2026
Browser-based and desktop apps available
Digital Sunset Studios have been busy working on an interesting project: a free software tool that provides compute...
04/07/2026
Celebrates company's 80th anniversary
Rhodes have recently revealed that they will be producing a limited run of electric pianos in celebration of their...
04/07/2026
** MEDIA ALERT **
BLEACH: THOUSAND-YEAR BLOOD WAR THE CALAMITY Continues I...
04/07/2026
** MEDIA ALERT **
VIZ Media Unveils New Anime Slate at Anime Expo 2026 with ...
04/07/2026
April 7 2026, 19:00 (PDT) Detective Conan: Fallen Angel of the Highway Opens in...
03/07/2026
New bundle & three Single Packs
Continuing to expand their already sizeable orchestral collection, VSL's latest release introduces three new Single Pack...
03/07/2026
Venue installs new ATC-equipped control room
LSO St Luke's, a unique music venue that also serves as the home of the London Symphony Orchestra, have rec...
03/07/2026
1 February 2023
SHARE Facebook Twitter Linkedin Email
Munich, Germany, 1st February 2023: Cinegy GmbH, the premier provider of software technology for digit...
03/07/2026
** MEDIA ALERT **
VIZ Media Celebrates Anime Expo 2026 with BLACK TORCH Worl...
02/07/2026
Stammering, stuttering, strangulated tones
The Crow Hill Company's latest creation promises to be the most original sound set they've produced to d...
02/07/2026
A new era in unmixing and spectral editing
The latest version of Steinberg's spectral audio-editing software has just arrived, building on the strength...
02/07/2026
Aims to simplify additive synthesis
Sine Machine is the debut launch from Melatonin, a Vienna-based developer who have spent the past six years creating wha...
02/07/2026
Products to remain fully active & supported
Following the news of Native Instruments joining the inMusic brand line-up, Academy and Emmy Award-winning visua...
02/07/2026
What you missed!
Last weekend, Saturday 27 June 2026, saw the debut of Sound On Sounds new GearExpo UK event, the largest dedicated pro-audio event to take ...
02/07/2026
Thursday 2 July 2026
Tea with Judi Dench returns to Sky Arts with legendary guest, Sir Ian McKellen
Sky today confirms Tea with Judi Dench will return this su...
01/07/2026
New AI Assistant, Multi-channel Audio, ARA2 improvements & more
Tracktion's DAW software has just received its latest major update, gaining a selection ...
01/07/2026
Stammering, stuttering, strangulated tones
The Crow Hill Company's latest creation promises to be the most original sound set they've produced to d...
01/07/2026
Exclusive run of limited-edition modelling pedals
Sweetwater and Andertons M...
01/07/2026
Our SD10T was an absolutely rock-solid, stable console and the Quantum 338T has been the perfect upgrade, Hurley says. Having multiple screens is a big advant...
01/07/2026
LEXINGTON, Kentucky - July 2026 -Tyler Childers' seventh and latest studio record, Snipe Hunter, is an adventurously sprawling collection of tunes that span...
01/07/2026
** MEDIA ALERT **
BLEACH Comes to Life in Los Angeles with First-of-Its-Kind...
01/07/2026
UKTV has today announced the appointment of Matt Berry to the newly created role of General Manager - Marketing, effective 1 July.
Matt will take on this senio...
01/07/2026
Sky Zero Footprint Fund-backed TV campaign featuring Deborah Meaden challenges consumers to rethink everyday bathroom wasteWednesday 1 July 2026
Fussy asks Bri...
01/07/2026
Constituency-level analysis reveals where girls miss out most on sport - and where targeted action could unlock more than £640 million in economic and health be...
01/07/2026
Wuppertal July 1, 2026
Riedel and SKAARHOJ Expand Collaboration With SimplyLive IntegrationRiedel Communications today announced an expanded collaboration wit...
01/07/2026
Apple today introduced power-packed updates to Apple Creator Studio, a groundbre...
01/07/2026
Nectar360, the Retail Media, Loyalty and Insights business of the Sainsburys Gro...
01/07/2026
9.2 million streams on RT Player between 11 and 28 June
Reach of 2.9 million viewers during Group stages of FIFA World Cup on RT 2
23 million video views acr...