Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Europe Stories
05/01/2027
Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be ...
04/08/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
04/07/2026
April 7 2026, 19:00 (PDT) Detective Conan: Fallen Angel of the Highway Opens in...
01/06/2026
January 6 2026, 05:30 (PST) Dolby Sets the New Standard for Premium Entertainment at CES 2026
Throughout the week, Dolby brings to life the latest innovatio...
07/05/2026
Journalists reporting on Sudan are working in one of the most complex and fast-m...
07/05/2026
Seit dem Start im Jahr 2023 hat DJ (Beta) das personalisierte H rerlebnis von 94...
07/05/2026
Da quando stata presentata nel 2023, DJ (beta) ha aiutato a definire un'esperienza d'ascolto pi personalizzata per 94 milioni di utenti Spotify Premi...
07/05/2026
Since launching in 2023, DJ (beta) has helped shape a more personalized listenin...
07/05/2026
Desde o lan amento em 2023, o DJ (beta) j ajudou a deixar a experi ncia de ouvi...
07/05/2026
From our earliest days, Spotify has been built on a simple principle: Great audio should be easy to reach. It's what's driven us to expand from music to...
07/05/2026
Asian and Pacific Islander artists continue to shape the global soundscape, pushing creative boundaries and connecting with fans worldwide. This Asian & Pacific...
07/05/2026
Company announce long-requested choir instrument
In the latest expansion of their Symphonic Elements series, UJAM have introduced an all-new vocal instrumen...
07/05/2026
Modular-inspired sound generation with digital control
Buchla have introduced Ziggy, a new compact synthesizer built around the company's complex oscill...
07/05/2026
Combines analogue voices with digital synthesis and sequencing
Polyend have announced Drums, a new hybrid analogue and digital drum machine that combines sy...
07/05/2026
Control surface now officially supports four DAWs
When Nektar launched the Panorama CS12 control surface, it worked exclusively with Apple's Logic Pro, ...
07/05/2026
In the first quarter 2026, SGL Carbon generated consolidated sales of 184.5 million, which was 49.8 million, or 21.3%, lower than in the prior year (Q1 2025: ...
07/05/2026
Rohde & Schwarz and Greenerwave achieve precise and fast ESA antenna characteriz...
07/05/2026
January 8, 2024
Colorfront (colorfront.com), a leader in high-performance, on-s...
07/05/2026
February 9, 2024
Colorfront (colorfront.com), the multi-award-winning pioneer i...
07/05/2026
March 20, 2024
NAB 2024, Las Vegas - Colorfront (colorfront.com), the multi-awa...
07/05/2026
April 1, 2025
CINEMACON, APRIL 1, 2025 - Colorfront (colorfront.com), the multi-award-winning developer of high-performance dailies/transcoding/streaming syste...
07/05/2026
June 15, 2025
Colorfront (colorfront.com), an Academy and Emmy Award-winning de...
07/05/2026
June 15, 2025
Colorfront participated in the ICTA Barcelona Cinema Technology Summit on Sunday, June 15, 2025. Held at The Phenomena Experience, the event feat...
07/05/2026
July 1, 2025
Colorfront (colorfront.com), the multi-award-winning developer of high-performance dailies/transcoding/streaming systems for motion pictures, OTT,...
07/05/2026
July 1, 2025
Passion and dedication will take you places. Come with us on a short trip to the heart of India, where Annapurna Studios is living-up to the inspi...
07/05/2026
July 3, 2025
Colorfront (colorfront.com), the multi-award-winning developer of high-performance dailies/transcoding/streaming systems for motion pictures, OTT,...
07/05/2026
September 1, 2025
IBC 2025, Amsterdam - Colorfront (colorfront.com) - the Acade...
07/05/2026
April 17, 2026
LOS ANGELES - April 17, 2026 - Colorfront today announced Colorf...
07/05/2026
April 23, 2026
NAB 2026, Las Vegas - the Academy and Emmy Award-winning develop...
07/05/2026
Thursday 7 May 2026
Sky continues Sphere Abacus partnership with The Death of S...
07/05/2026
Thursday 7 May 2026
Sky Confirms Saturday Night Live UK will return this September for Series Two
Saturday Night Live UK will return for a second series, as S...
07/05/2026
Save 20% on the Sky Glass Gen 2 and Sky Glass Air TVsThursday 7 May 2026
How to watch the World Cup on Sky Glass
Tune into the World Cup on the BBC and ITV vi...
07/05/2026
Production sound mixer Dirk Sciarrotta has mixed Family Feud for 28 seasons. Thats up to 200 syndicated episodes per year, plus primetime celebrity specials - a...
07/05/2026
As audience expectations have evolved, Owen has stopped trying to hide microphones or excuse amplification. Instead, he treats sound as a fully immersive part o...
07/05/2026
Well known Irish faces pushed to the edge in new series of
Uncharted with Ray G...
07/05/2026
RT will premiere A Traveller Family, a compelling new documentary exploring the...
06/05/2026
New pricing tiers for vocal/dialogue restoration tool
NoiseWorks Audio's AI-powered vocal and dialogue processing plug-in is now available in three diff...
06/05/2026
Popular mixing & routing software overhauled
Following a recent public beta test, RME have launched the final release version of the powerful mixing and rou...
06/05/2026
New SOS Video Feature
Focusrites ISA C8X is a milestone product that brings together the companys analogue heritage and their expertise in digital audio. Yo...
06/05/2026
06 May 2026
VEON's Kyivstar Authorized to Resell Starlink for Businesses & ...
06/05/2026
UKTV has secured the exclusive rights to the early back catalogue of iconic Australian drama series Neighbours, following a landmark content deal with Fremantle...
06/05/2026
Wednesday 6 May 2026
Sky commissions feature documentary to mark 10th anniversa...
06/05/2026
Wednesday 6 May 2026
Sky and Formula 1 agree long-term partnership across UK, Ireland and Italy
Sky in the UK & Ireland to remain the home of Formula 1 until ...
06/05/2026
Sky Zero Footprint Fund-backed TV campaign launches nationwide, supported by new...
06/05/2026
Wuppertal May 6, 2026
Riedel Expands Leadership Structure, Appoints Marc Engro...
06/05/2026
SAN JOSE, Calif. - May 6, 2026 - Harmonic (NASDAQ: HLIT) today announced its latest broadband innovations for ANGA COM 2026, highlighting its vision for a new e...
06/05/2026
Statement from Rupert Murdoch, Chairman Emeritus, Fox Corporation on Ted Turner&...
06/05/2026
Friday 8 May on RT One and RT Player
Meet the NSPCA team caring for and protecting animals in need in this six-part series
Fly on the wall, six-part series...
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
