Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Europe Stories
05/01/2027
Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be ...
04/08/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
04/07/2026
April 7 2026, 19:00 (PDT) Detective Conan: Fallen Angel of the Highway Opens in...
01/06/2026
January 6 2026, 05:30 (PST) Dolby Sets the New Standard for Premium Entertainment at CES 2026
Throughout the week, Dolby brings to life the latest innovatio...
02/05/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
01/05/2026
January 5 2026, 18:30 (PST) NBCUniversal's Peacock to Be First Streamer to ...
08/04/2026
On March 7, Bad Bunny made history with his first-ever performance in Asia, taki...
08/04/2026
El 7 de marzo, Bad Bunny hizo historia con su primera presentaci n en Asia, subi...
08/04/2026
New channel strip plug-in revealed
The latest plug-in to be added to the Fuse Audio Labs line-up emulates a selection of vintage hardware units, combining c...
08/04/2026
Guitar & bass multi-effects software overhauled
Blue Cat Audio's flagship guitar and bass multi-effects software has recently received a significant upd...
08/04/2026
PanNoir mixer integration, Dolby Atmos Renderer & more
Merging Technologies have just launched Pyramix 16, the latest major update to their renowned DAW sof...
08/04/2026
Applicable Products Part number Description
QUARTZ-22-LTE (EU) Dual Port Dual SIM LTE Router (EU)
QUARTZ-COMPACT-11-LTE (EU) Single Port Compact LTE ...
08/04/2026
All episodes available on Thursday 30 April on Sky Atlantic and NOWWednesday 8 A...
08/04/2026
ICG is gearing up for a busy day on 14th May in Manchester.
First up, we'll be joining the Northern Marketing Festival as one of the event's marketing ...
08/04/2026
The Teatro Col n in Buenos Aires is not a venue that tolerates compromise. Built in 1908 and routinely ranked among the worlds finest concert halls, it has an a...
08/04/2026
Young Forever: The Death of Ageing? airs Monday 13 April and 20 April on RT One and RT Player
Around the world, the race to beat ageing is on. From cutting ...
07/04/2026
Starting today, Prompted Playlist is expanding beyond music to now include podca...
07/04/2026
Launched alongside piano promotion
The latest instalment in VSL's Synchron Series line-up captures the sound of a faithful copy of a Fran ois tienne Bl...
07/04/2026
Flagship sampling pad gets an update
Roland's flagship sampling pad has just received a major update that kits it out with an array of new features and ...
07/04/2026
Popular compact wireless system upgraded
Sound Devices have recently introduced a new and improved version of their compact wireless transmitter bodypacks, ...
07/04/2026
SAN JOSE, Calif. - April 7, 2026 - Harmonic (NASDAQ: HLIT) today announced it wi...
07/04/2026
FOX to Integrate Kalshi Forecasts Across FOX News Media and FOX One Platforms NEW YORK, NY (April 7, 2026) - Kalshi, the world's largest prediction market...
07/04/2026
THE GAA CHAMPIONSHIPS ARE BACK WITH A BANG
LIVE AND FREE TO AIR ACROSS ALL RT PLATFORMS
The Sunday Game and The Sunday Game Live return on Sunday 12 April
L...
06/04/2026
Like the immortal lives of vampires, some stories never really end. That's t...
06/04/2026
As podcasting continues to evolve, growth increasingly means building beyond aud...
06/04/2026
Multiband dynamics plug-in enhanced
California-based developer FSK Audio have released a significant update for their innovative multiband dynamics processo...
06/04/2026
Share official & user-created full-rig presets
IK Multimedia's latest TONEX update makes it possible for users of the popular amp and effects modelling ...
06/04/2026
Wayne, N.J., April 6th, 2026 Phantom High-Speed announces the release of PCC 4...
05/04/2026
Tackles all reported bugs!
SoundBridge have just announced the launch of a new update that introduces a couple of minor changes to their remote collaboratio...
04/04/2026
Faster, cleaner and more intuitive than ever
The control software for Flock Audio's digitally controlled patchbay systems has just been treated to an up...
03/04/2026
Iconic guitar pedals now available in plug-in form
Guitar effects experts Electro-Harmonix have teamed up with MixWave to turn a collection of their most pr...
03/04/2026
New multi-band AUv3 plug-in announced
Fred Anton Corvest (FAC) offer an extensive range of AUv3 plug-ins and iOS/iPadOS Apps, and their multiband effects pr...
03/04/2026
Just 84 units to be released in the US
Experimental synthesizer and sound-machine extraordinaires SOMA Laboratory have revealed an upcoming special-edition ...
03/04/2026
Emulates the input section of an Ampex 350
One of the latest arrivals to the Iconic Instruments range delivers a new tube preamp plug-in inspired by the cir...
03/04/2026
VIZ Media Lands Rumiko Takahashi's MAO, Sets April 4 Premiere on Hulu in the...
02/04/2026
4 - 11 April 2026
VEMIA's latest gear auction is just around the corner, and there's already a wealth of sought-after instruments and studio gear li...
02/04/2026
Little Labs emulation now available to all
The latest Universal Audio plug-in to become available outside of the company's DSP-powered UAD2 platform has...
02/04/2026
Red Seat Ventures Launches Speakeasy, a New Hosting, Distribution and Monetizati...
02/04/2026
2FM Breakfast to extend on weekday mornings from 6am to 10am
Doireann Garrihy m...
02/04/2026
RT News & Current Affairs is pleased to announce the appointment of RT Radio 1 reporter, Barry Lenihan, as Political Correspondent.
Barry has reported across...
01/04/2026
This year, Spotify celebrates the five-year anniversary of EQUAL, our global pro...
01/04/2026
Analogue-style tape splicing in the digital domain
In this era of digital recording and multiple layers of Undo, it seems that the fading art of tape splici...
01/04/2026
Latest release introduces new Orbita Engine
Zero G's latest release marks the start of a new series of libraries, as well as introducing an all-new engi...
01/04/2026
Until now, one format has largely been left behind
Warm Audio's extensive product range includes modern-day recreations of all manner of sought-after s...
01/04/2026
A piano with glass vessels for strings!
The Crow Hill Company's recently released Gong Piano offered a refreshing new take on piano libraries, harnessin...
01/04/2026
Remote Streaming Studio Condenser
Aim Audio have just revealed their latest creation, the ESSENCE RS Remote Streaming Studio Condenser, which becomes the wo...
01/04/2026
Bilbao, April 1st, 2026 - AgileTV, a leading provider of end-to-end TV technolog...
01/04/2026
We have been working with Mr.Team Productions and the Wonderfruit team for many years, he says. Throughout that time, the festival has grown from 2,000 attend...
01/04/2026
UKTV today announces that Jonathan Newman has formally stepped into the role of ...
01/04/2026
Wuppertal April 1, 2026
Binghamton University Strengthens Student Run Producti...
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
