Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Europe Stories
05/01/2027
Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be ...
04/08/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
04/07/2026
April 7 2026, 19:00 (PDT) Detective Conan: Fallen Angel of the Highway Opens in...
01/06/2026
January 6 2026, 05:30 (PST) Dolby Sets the New Standard for Premium Entertainment at CES 2026
Throughout the week, Dolby brings to life the latest innovatio...
02/05/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
01/05/2026
January 5 2026, 18:30 (PST) NBCUniversal's Peacock to Be First Streamer to ...
13/04/2026
Intuitive EQ plug-in gets an upgrade
Following its official launch back in February 2026, Musik Hack's intuitive EQ plug-in has been treated to its firs...
13/04/2026
Flagship soft synth collection expanded
The latest version of UVI's flagship vintage-inspired soft synth collection has just arrived, expanding the suit...
13/04/2026
Free version of innovative string library arrives
Released in October 2025, Lux Orchestral Strings was said to be Sonuscore's most ambitious library to ...
13/04/2026
The Girls' Research Camp is part of the Technology - Future in Bavaria edu...
13/04/2026
Rohde & Schwarz transforms submarine communications for real time underwater dom...
13/04/2026
Rohde & Schwarz enables Pulsar signal simulation to support next-generation navi...
13/04/2026
Monday 13 April 2026
Global environmental action NGO WRAP brings recycling to l...
13/04/2026
J nger Audio has joined the EBU ADM Implementers Group (ADM-IG) as a founding me...
13/04/2026
FOX Latin America Announces The Launch Of The FOX Channel In Central America And...
13/04/2026
No amps, no safety net The biggest challenge was the music itself. Everything in the film is acoustic and unamplified. The theme itself is kind of hard to expl...
13/04/2026
RT Radio 1 has today launched a significant step in its ongoing strategic evolution. Following the launch of its brand-new schedule late last year, RT Radio 1...
13/04/2026
The Late Late Show Opening Act, the search for Ireland's newest country musi...
13/04/2026
RT has today announced the appointment of Annemarie Britz to the position of Chief Financial Officer, RT following a public competition.
Annemarie Britz is c...
12/04/2026
Headphone system designed for immersive monitoring
With the demand for immersive audio showing no signs of slowing down, lots of companies are turning their...
11/04/2026
Engineer collective welcome Freddy Knop
Infrasonic, an award-winning collective of audio engineers operating out of Nashville and Los Angeles with credits r...
10/04/2026
After launching the Spotify Podcast Awards in Mexico last year, we brought the fan-voted celebration to Paris this week for its first edition in France. Hosted ...
10/04/2026
Powered and unpowered live PA ranges upgraded
Yamaha have just refreshed four of their hugely popular PA speaker ranges, delivering significant improvements...
10/04/2026
Underlying plug-in & VI technology now available to others
UJAM's latest announcement sees the company open up' Gorilla Engine, the development pla...
10/04/2026
What can I watch on UKTV and stream on U this week?
This week on UKTV and the free streaming service U, viewers can watch a range of new and returning programm...
10/04/2026
Five-part Sky Original drama airs nightly on Sky Mix and Sky Atlantic from 20 Ap...
09/04/2026
Staines-upon-Thames, UK, 09, April, 2026 - Yospace, the trusted leader in Dynam...
09/04/2026
just:play pro 2026 and just:live pro 2026 Sneak Preview News for NAB 2026
More Details:At NAB 2026, ToolsOnAir will showcase just:play pro 2026 and just:live p...
09/04/2026
just:in mac pro 2026 - The Next Level of Professional Recording on macOS at NAB ...
09/04/2026
Spotify has always been about putting listeners in the driver's seat. Today, people don't just want more ways to spend their time; they want that time t...
09/04/2026
Our Chief Public Affairs Officer Dustee Jenkins shares how we're building a more positive experience for families on Spotify.
As Spotify's Chief Public...
09/04/2026
Festival season is upon us. From sun-soaked weekends out west to iconic stages in Chicago and New York, fans are getting ready to see their favorite artists liv...
09/04/2026
O Spotify sempre teve como foco colocar os ouvintes no controle. Hoje, as pessoas n o querem apenas mais formas de passar o tempo - elas querem que esse tempo s...
09/04/2026
Read the original note in English here.
Nossa Chief Public Affairs Officer, Dustee Jenkins, compartilha como estamos construindo uma experi ncia mais positiva ...
09/04/2026
New synth focuses on sci-fi scoring
Following their formation and debut releases in December 2025, Smokestack Sounds - the brainchild of composer and produc...
09/04/2026
Latest version set for May 2026 launch
Reason Studios have revealed that the latest version of their DAW software will be launching in May 2026. Currently a...
09/04/2026
New EQ aimed at mix-bus & mastering duties
Shy Audio's first two releases focused on the past, delivering recreations of the budget mixers that were com...
09/04/2026
Based on John Galsworthy's novels known collectively as The Forsyte Saga a...
09/04/2026
The Forsytes has been renewed for a third season before the period drama has even premiered on PBS Masterpiece.
The adaptation of John Galsworthy's novel, ...
09/04/2026
IThe BBC has commissioned new drama The Witch Farm, starring Gabrielle Creevy (T...
09/04/2026
The next big thing To help broadcasters fully embrace dynamic hybrid workflows, Calrec will make a major announcement that unlocks even more freedom for broadca...
09/04/2026
Thursday 9 April 2026
Kick It Out and Sky extend ongoing partnership
Sky Sports and Kick It Out have extended their partnership for another year, as both orga...
09/04/2026
Thursday 9 April 2026
Justice turns deadly at sea as Jason Statham stars in new...
09/04/2026
Author: Pavel Smokotnin, RTW R&D
The ATSC 3.0 standard , released on July 17, 2025, defines a comprehensive set of requirements for terrestrial next-generatio...
09/04/2026
Enhancements Including MCP Connectivity, Intelligent Video Asset Orchestration and Red Hat OpenShift Deployment Transform Hybrid Video Streaming SAN JOSE, Calif...
09/04/2026
Own a 3rd or 4th Gen Scarlett interface? Download Cubase LE for free We're adding a new DAW to your collection here's what's included, and how t...
09/04/2026
Multi-year agreement enables Nation Radio to scale audiences, strengthen digital delivery and unlock new commercial opportunities
09 April 2026 - London, UK - ...
09/04/2026
RT Sport has announced Brian Fenton will join its Sunday Game GAA punditry panel for the 2026 Championship, featuring across video, audio, online including the...
09/04/2026
Doireann N Ghlac in returns as presenter, with the first episode airing this Friday at 8.30pm on RT One and RT Player
The beloved walking series Tracks & T...
08/04/2026
On March 7, Bad Bunny made history with his first-ever performance in Asia, taki...
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
