Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Europe Stories
05/01/2027
Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be ...
04/08/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
04/07/2026
April 7 2026, 19:00 (PDT) Detective Conan: Fallen Angel of the Highway Opens in...
01/06/2026
January 6 2026, 05:30 (PST) Dolby Sets the New Standard for Premium Entertainment at CES 2026
Throughout the week, Dolby brings to life the latest innovatio...
02/05/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
01/05/2026
January 5 2026, 18:30 (PST) NBCUniversal's Peacock to Be First Streamer to ...
25/04/2026
In the heart of Mexico City, music, culture, and fashion converged last night as Spotify and Vogue Latin America welcomed guests to an intimate gathering at Soh...
25/04/2026
New modular multi-effects plug-in revealed
The latest plug-in from Brainworx delivers a modular set of effects designed to offer a convenient alternative to...
24/04/2026
Earth Day is a chance to reflect on our connection to the natural world. To mark the 57th Earth Day on April 22, Spotify's editors have pulled together a co...
24/04/2026
This past weekend, Spotify was at the heart of the largest literary event in the...
24/04/2026
All data tells a story, and in our case, that story is written by you. To celebrate 20 years of Spotify, we're sharing bite sized moments that capture how t...
24/04/2026
Over the past 20 years, Spotify's look and feel has evolved with the way people use our platform, while ensuring we preserve an intuitive, personal, and fam...
24/04/2026
It's been 20 years since Spotify began, but the real story is what the world chose to play. For the first time, we're unveiling the most streamed artist...
24/04/2026
Whether you're relaxing at home or on the go, Spotify is there across more than 2,000 devices, ready with your favorites or something new to discover. Now, ...
24/04/2026
Nintendo and Spotify are welcoming fans to the Super Mario Bros. 40th anniversary and the release of The Super Mario Galaxy Movie with new playlists and a speci...
24/04/2026
30 October - 1 November 2026
The Audio Engineering Society (AES) have announced that the AES Show 2026 will be held on Halloween weekend - Friday 30 October...
24/04/2026
New closed-back design promises honest' low end
Sennheiser have just announced the launch of a new pair of flagship closed-back headphones which they s...
24/04/2026
Powerful 12-channel hardware sequencer announced
Cre8audio are renowned for their innovative, and often visually striking, designs and although their latest...
24/04/2026
Room correction now supports full 9.1.6 Dolby Atmos setups
The software element of IK Multimedia's room-correction system has just received an update th...
24/04/2026
New content for BBO Tutti & BBO Riffs
VSL have recently introduced some new free content expansions for two of their most popular Big Bang Orchestra Packs: ...
24/04/2026
Rohde & Schwarz to highlight its R&S EVSD1000 UAV-based navigation analyzer at I...
24/04/2026
ITV's Director of Drama Polly Hill has commissioned six part propulsive, lun...
24/04/2026
AgileTV presents in Las Vegas its technological proposition to power safer, more scalable and efficient TV ecosystems for telecom operators, ISPs and entertainm...
24/04/2026
Canada's C gep de Jonqui re and Calrec take five with a substantial TV studio upgrade Underscoring its global reputation as one of Canada's most renowne...
24/04/2026
Redefining Broadcast Workflows at NAB 2026 with our Most Powerful Hardware, Virtual and Hybrid Audio Lineup Yet We're looking forward to meeting up with you...
24/04/2026
24 Apr 2026
VEON Boosts Accessibility for Investors by Waiving Depositary Servi...
24/04/2026
Friday 24 April 2026
All episodes of espionage thriller series Ponies starring ...
24/04/2026
April 24 2026, 00:00 (PDT) Dolby Elevates In-Car Entertainment to New Heights at Auto China 2026
More Automakers, More Models: Dolby-enabled Vehicles Drive...
24/04/2026
April 24 2026, 06:48 (PDT) Dolby Cinema Arrives in Tamil Nadu: Dolby Laboratori...
23/04/2026
23 Apr 2026
VEON 2025 Integrated Annual Report: Record Digital Growth, Sovereig...
23/04/2026
FOX Advertising Launches FOX AdStudio, Unifying Audience Intelligence Across Its...
23/04/2026
Dalet, a leading technology and service provider for media-rich organizations, today announced that Dalia, its agentic AI solution for media & entertainment, ha...
23/04/2026
Six crafts. Six lives.
Six reasons to believe that making things by hand
still...
23/04/2026
The festival programme promises a feast of drama, a bumper packed fringe festiva...
23/04/2026
Dermot Bannon's Celebrity Super Spaces airs Sunday 26 April and 3 May on RT ...
22/04/2026
Spotify and the New York Liberty are teaming up to give music and basketball fan...
22/04/2026
New 20-minute documentary explores iconic design The Focusrite Room in Mesa, Arizona, where John Aquilino hosts the Studio Console 005.
In 2025, Focusrite co...
22/04/2026
Offers compact wireless solution for pedalboards
Taiwanese audio brand Cloudvocal have announced the availability of a new pedalboard-friendly wireless syst...
22/04/2026
Latest hybrid sampling/synthesis instrument arrives
Arturia's Augmented series offerings rely on a mixture of sampling and synthesis, allowing users to ...
22/04/2026
Combines three distinct analogue EQ emulations
The latest addition to Acustica Audio's ever-expanding collection of analogue-emulation plug-ins combines...
22/04/2026
Final instalment in vintage-inspired instrument series
Analog Empire: Bass & Lead marks the final instalment in Melda Production's vintage hardware-insp...
22/04/2026
Fuzz pedal joins all-analogue Series A line
Given that Strymons reputation was built on unapologetically digital pedals, it was a little surprising to see t...
22/04/2026
22 Apr 2026
VEON's Banglalink to Bring Starlink Mobile to Customers in Bangladesh Bangladesh becomes the third market where VEON and Starlink Mobile partne...
22/04/2026
U have unveiled exclusive first-look images for their six-part police thriller Hit Point, starring Nick Blood (Day of the Jackal) and BAFTA nominee Saffron Hock...
22/04/2026
What can I watch on UKTV and stream on U this week?
This week on UKTV and the free streaming service U, viewers can watch a range of new and returning programm...
22/04/2026
Wednesday 22 April 2026
Sky announces fifth year of WNT Fund with 30,000 bursa...
22/04/2026
The move from Retail Media to Commerce Media is about broadening the scope of th...
22/04/2026
April 22 2026, 07:00 (PDT) Dolby and BMW Bring Dolby Atmos to the BMW 7 Series,...
22/04/2026
RT Documentary On One 7-part series breaks US market for first time
RT Programme Sales has announced its first deal with a US distribution partner for its 7-...
21/04/2026
Five years ago, Spotify arrived in Pakistan, opening a new chapter in the country's music scene. Since then, local listeners have explored across genres, ge...
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
