Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Europe Stories
05/01/2027
Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be ...
04/08/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
04/07/2026
April 7 2026, 19:00 (PDT) Detective Conan: Fallen Angel of the Highway Opens in...
01/06/2026
January 6 2026, 05:30 (PST) Dolby Sets the New Standard for Premium Entertainment at CES 2026
Throughout the week, Dolby brings to life the latest innovatio...
06/05/2026
New pricing tiers for vocal/dialogue restoration tool
NoiseWorks Audio's AI-powered vocal and dialogue processing plug-in is now available in three diff...
06/05/2026
Popular mixing & routing software overhauled
Following a recent public beta test, RME have launched the final release version of the powerful mixing and rou...
06/05/2026
New SOS Video Feature
Focusrites ISA C8X is a milestone product that brings together the companys analogue heritage and their expertise in digital audio. Yo...
06/05/2026
06 May 2026
VEON's Kyivstar Authorized to Resell Starlink for Businesses & ...
06/05/2026
UKTV has secured the exclusive rights to the early back catalogue of iconic Australian drama series Neighbours, following a landmark content deal with Fremantle...
06/05/2026
Wednesday 6 May 2026
Sky commissions feature documentary to mark 10th anniversa...
06/05/2026
Wednesday 6 May 2026
Sky and Formula 1 agree long-term partnership across UK, Ireland and Italy
Sky in the UK & Ireland to remain the home of Formula 1 until ...
06/05/2026
Sky Zero Footprint Fund-backed TV campaign launches nationwide, supported by new...
06/05/2026
Wuppertal May 6, 2026
Riedel Expands Leadership Structure, Appoints Marc Engro...
06/05/2026
SAN JOSE, Calif. - May 6, 2026 - Harmonic (NASDAQ: HLIT) today announced its latest broadband innovations for ANGA COM 2026, highlighting its vision for a new e...
06/05/2026
Statement from Rupert Murdoch, Chairman Emeritus, Fox Corporation on Ted Turner&...
06/05/2026
Friday 8 May on RT One and RT Player
Meet the NSPCA team caring for and protecting animals in need in this six-part series
Fly on the wall, six-part series...
05/05/2026
Experts from the world of academia, tech, business, politics and media convened for a Thomson Talks at the Cambridge Disinformation Summit in April. It's th...
05/05/2026
Another year, and more proof that Asia continues to shape some of the world's most exciting new sounds. This year's RADAR artists draw from deep local r...
05/05/2026
The Austin City Limits Music Fest 2026 lineup just dropped, and this year, Spoti...
05/05/2026
New drum machine book campaign incoming
Bjooks have announced that during Superbooth 2026, they will be launching a Kickstarter campaign to fund the product...
05/05/2026
Flagship all-in-one production bundle updated
The latest version of Native Instruments' flagship virtual instrument and plug-in bundle has just been ann...
05/05/2026
Rohde & Schwarz to host RF Testing Innovations Forum 2026, helping design engine...
05/05/2026
The company grew by 7.6% in net revenue and 16.3% in EBITDA, achieving a 33% inc...
05/05/2026
FOX Sports, FOX One and Indeed Launch Nationwide Search for FOX One Chief World...
04/05/2026
just:play pro 2026 and just:live pro 2026 are available to download!
More Details:At NAB 2026, ToolsOnAir showcased just:play pro 2026 and just:live pro 2026, ...
04/05/2026
just:in mac pro 2026 - The Next Level of Professional Recording on macOS
More Details:The headline innovation in just:in mac pro 2026 is the new Auto format si...
04/05/2026
Last week, guests gathered in New York City for On Air, In Style: An Evening with Spotify-a night of conversation, culture, and connection celebrating the inter...
04/05/2026
New music & post-production features added
Avid's latest DAW update delivers an array of helpful features aimed at both music and post-production users,...
03/05/2026
Polysynth now features Mutable Instruments' macro oscillators
Melbourne Instruments have just released a free firmware update that brings the engine beh...
02/05/2026
Versatile re-amping tool announced
Warm Audio are best known for their recreations of sought-after vintage studio gear, but their latest release brings a ne...
02/05/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
01/05/2026
Florals for spring? Groundbreaking. But a playlist that tells you which The Devi...
01/05/2026
One of the world's biggest popstars is headed to El Cl sico. Later this mont...
01/05/2026
Limited-edition model celebrates 15th anniversary
Heritage Audio's range of monitor controllers has just gained a new member, the Baby RAM Black Edition...
01/05/2026
Dumble recreation now available as UAD plug-in
Along with their renowned processing plug-ins, Universal Audio have been steadily introducing emulations of c...
01/05/2026
We were lucky enough to benefit from huge generosity, so we now have a fantastic Quantum 338T and are developing a cutting-edge d&b loudspeaker system, he expa...
01/05/2026
The first Quantum console purchase made by the company was a Quantum 338 in September 2020. Since then, the company has leveraged Quantum power to steadily expa...
01/05/2026
Friday 1 May 2026
Hannah Waddingham and Ncuti Gatwa to host the series final tw...
01/05/2026
Friday 1 May 2026
Got plans? Cancel them. Sky Sports Big Weekend is coming
Sky Sports is preparing for a bumper weekend of live action, including Manchester ...
01/05/2026
Friday 1 May 2026
Sky Sports to broadcast all matches from World Sevens Football London edition
Sky Sports will be the exclusive UK broadcaster of the women&#...
01/05/2026
RT Sport awarded first pick free-to-air on Wednesday nights
Champions League and Super Cup finals
Highlights on Wednesday nights
RT today (Thursday 30 Apri...
01/05/2026
January 5 2026, 18:30 (PST) NBCUniversal's Peacock to Be First Streamer to ...
30/04/2026
Music is evolving, and so are the ways you discover and connect with artists. In...
30/04/2026
Between April 22-29, the first inaugural Stockholm Music Week brought together thought leaders and partners across industries including music, tech, government,...
30/04/2026
Iconic large-format console upgraded
API's iconic Vision console has just been treated to an overhaul that aims to meet the demands of today's profe...
30/04/2026
Comes complete with miking accessories
The LCT 440 Pure has proven to be a popular member of Lewitt's mic line-up, offering impressive technical perform...
30/04/2026
24 October 2026 at The Octagon, Sheffield
Now in its eighth year, SynthFest UK is the largest event of its kind in the UK, bringing together the top keyboar...
30/04/2026
Rohde & Schwarz equips new Terminal 3 at Frankfurt Airport with security scanner...
30/04/2026
Rohde & Schwarz expands broadband amplifier portfolio with new power classes up ...
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
