Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Europe Stories
05/01/2027
Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be ...
01/06/2026
January 6 2026, 05:30 (PST) Dolby Sets the New Standard for Premium Entertainment at CES 2026
Throughout the week, Dolby brings to life the latest innovatio...
02/05/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
01/05/2026
January 5 2026, 18:30 (PST) NBCUniversal's Peacock to Be First Streamer to ...
03/04/2026
Iconic guitar pedals now available in plug-in form
Guitar effects experts Electro-Harmonix have teamed up with MixWave to turn a collection of their most pr...
03/04/2026
New multi-band AUv3 plug-in announced
Fred Anton Corvest (FAC) offer an extensive range of AUv3 plug-ins and iOS/iPadOS Apps, and their multiband effects pr...
03/04/2026
Just 84 units to be released in the US
Experimental synthesizer and sound-machine extraordinaires SOMA Laboratory have revealed an upcoming special-edition ...
03/04/2026
Emulates the input section of an Ampex 350
One of the latest arrivals to the Iconic Instruments range delivers a new tube preamp plug-in inspired by the cir...
03/04/2026
VIZ Media Lands Rumiko Takahashi's MAO, Sets April 4 Premiere on Hulu in the...
02/04/2026
4 - 11 April 2026
VEMIA's latest gear auction is just around the corner, and there's already a wealth of sought-after instruments and studio gear li...
02/04/2026
Little Labs emulation now available to all
The latest Universal Audio plug-in to become available outside of the company's DSP-powered UAD2 platform has...
02/04/2026
Red Seat Ventures Launches Speakeasy, a New Hosting, Distribution and Monetizati...
02/04/2026
2FM Breakfast to extend on weekday mornings from 6am to 10am
Doireann Garrihy m...
02/04/2026
RT News & Current Affairs is pleased to announce the appointment of RT Radio 1 reporter, Barry Lenihan, as Political Correspondent.
Barry has reported across...
01/04/2026
This year, Spotify celebrates the five-year anniversary of EQUAL, our global pro...
01/04/2026
Analogue-style tape splicing in the digital domain
In this era of digital recording and multiple layers of Undo, it seems that the fading art of tape splici...
01/04/2026
Latest release introduces new Orbita Engine
Zero G's latest release marks the start of a new series of libraries, as well as introducing an all-new engi...
01/04/2026
Until now, one format has largely been left behind
Warm Audio's extensive product range includes modern-day recreations of all manner of sought-after s...
01/04/2026
A piano with glass vessels for strings!
The Crow Hill Company's recently released Gong Piano offered a refreshing new take on piano libraries, harnessin...
01/04/2026
Remote Streaming Studio Condenser
Aim Audio have just revealed their latest creation, the ESSENCE RS Remote Streaming Studio Condenser, which becomes the wo...
01/04/2026
Bilbao, April 1st, 2026 - AgileTV, a leading provider of end-to-end TV technolog...
01/04/2026
UKTV today announces that Jonathan Newman has formally stepped into the role of ...
01/04/2026
Wuppertal April 1, 2026
Binghamton University Strengthens Student Run Producti...
01/04/2026
Harmonic's Media Processing Solutions Maximize Bandwidth Efficiency for Terrestrial Broadcast Delivery SAN JOSE, Calif. - April 1, 2026 - Harmonic (NASDAQ: ...
01/04/2026
Rugby fans won't miss a moment of the action this spring, with full Women�...
01/04/2026
T Bluey ag teacht go RT ! Beginning on Monday 6 April 2026, Bluey will be available as Gaeilge on RT KIDSjr and RT Player. Children will be able to connect w...
01/04/2026
January 4 2026, 18:00 (PST) DOLBY AND DOUYIN EMPOWER THE NEXT GENERATON OF CREATORS WITH DOLBY VISION
Douyin Users Can Now Create And Share Videos With Stun...
31/03/2026
Spotify has evolved from a streaming platform to an interactive, multiformat eco...
31/03/2026
Lastest New Universal Synthesizer System module announced
Make Noise Music have recently announced the launch of the latest addition to their New Universal ...
31/03/2026
True Stereo DynIR Engine, Virtual Load Shaper & more
Two notes Audio Engineering's Captor X reactive load box and cabinet simulator has built up a solid...
31/03/2026
31 Mar 2026
VEON Announces 2026 AGM and Board Nominees Notice of the 2026 Annual General Meeting of Shareholders of VEON Ltd.
Dubai and New York, March 31, 20...
31/03/2026
Jack Whitehall will be joined by musical guest Jorja Smith - (Show 4 - 11 April)Tuesday 31 March 2026
Jack Whitehall announced as next host of Saturday Night L...
31/03/2026
Tuesday 31 March 2026
Sky Sports announces major women's boxing deal with Most Valuable Promotions
Sky Sports and NOW will become the home of Most Valuabl...
31/03/2026
Stand #N1311 (North Hall)
April 19-22, 2026
Discover why colourists and DITs rely on Baselight and Daylight v7. Explore the latest updates about Nara, our pla...
31/03/2026
31. March 2026 News
DFT is pleased to announce that three Polar HQ scanners...
31/03/2026
United Utilities has reached a significant milestone in its smart metering programme after installing more than 200,000 in the last twelve months.
Over the nex...
30/03/2026
MPE-capable chamber strings library announced
Alongside their collection of Kontakt instruments, Sonora Cinematic have been steadily introducing a series of...
30/03/2026
Latin-inspired percussion instrument announced
Built on a newly developed engine and interface, UJAM's latest instrument has been designed to create Lat...
30/03/2026
Latest Eduardo Tarilonte collaboration announced
The latest library to join Best Service's ever-growing range includes four solo wind instruments that c...
30/03/2026
We want to hear from you!
Complete our SOS Quick Survey and enter the prize draw for a chance to win one of three $50 Amazon vouchers!
Sound On Sound carri...
30/03/2026
30 Mar 2026
JazzCash Onboards Its 1 Millionth Merchant on Pakistan's Nation...
30/03/2026
Sky welcomes Karen Blackett CBE to its DAC and thanks Baroness Prashar and Ndidi Okezie as they step down after five yearsMonday 30 March 2026
Sky announces ch...
30/03/2026
Leading Taiwan Broadband Operator Drives Fiber Deeper with Harmonic SAN JOSE, Calif. - March 30, 2026 - Harmonic (NASDAQ: HLIT) today announced that KBRO, a lea...
28/03/2026
Now features DiGiCo console integration
Harrison's live recording and virtual soundcheck software has just reached its third major version, which among ...
28/03/2026
MPE-capable chamber strings library announced
Alongside their collection of Kontakt instruments, Sonora Cinematic have been steadily introducing a series of...
27/03/2026
New Classic, Amplitude & FlexRange units introduced
GIK Acoustics have just introduced a trio of new bass trap designs that bring improved low-end absorptio...
27/03/2026
Offers personalised Dolby Atmos headphone monitoring
Sonarworks have put their calibration expertise to work on a new mobile app that allows users to create...
27/03/2026
27 Mar 2026
VEON Reinforces Alignment with Shareholder Value Creation Dubai and New York, March 27, 2026 - VEON Ltd. (Nasdaq: VEON; VEON or the Company ), a...
27/03/2026
RT Supporting the Arts
RT is Supporting 20 Arts and Cultural Events all over Ireland this April
RT is proud to support an exciting month of arts and cul...
27/03/2026
Average of 1.37 million viewers watched Irish World Cup heartbreak on RT 2
Over one million streams on RT Player
Highest number of streams for any single eve...
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
