Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Europe Stories
05/01/2027
Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be ...
01/06/2026
January 6 2026, 05:30 (PST) Dolby Sets the New Standard for Premium Entertainment at CES 2026
Throughout the week, Dolby brings to life the latest innovatio...
02/05/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
01/05/2026
January 5 2026, 18:30 (PST) NBCUniversal's Peacock to Be First Streamer to ...
01/04/2026
January 4 2026, 18:00 (PST) DOLBY AND DOUYIN EMPOWER THE NEXT GENERATON OF CREATORS WITH DOLBY VISION
Douyin Users Can Now Create And Share Videos With Stun...
27/02/2026
Since its inception, Gorillaz has been known for blending art with genre-bending...
27/02/2026
This week, Spotify introduced Audiobook Charts for the U.S. and U.K. The charts make it easy to discover your next favorite book by showing what's popular a...
27/02/2026
Rohde & Schwarz and Viasat to collaborate on NB-NTN IoT test plan for connectivi...
27/02/2026
In media technology, big features often steal the spotlight - AI integrations, cloud transformations, automation frameworks. But for the people who use these to...
27/02/2026
Digital Asset Management systems sit at the heart of most marcoms operations. They centralise content, organise it, and make it discoverable. Integrated with th...
27/02/2026
The AI Wild West comes to NAB 2026 and Blue Lucy is bringing the Sheriff
The AI Wild West is here, and media organisations are feeling the heat. On Booth W23...
27/02/2026
A deeply personal, uncompromising portrait of the legendary punk rock iconFriday...
27/02/2026
One of Ireland's favourite lifestyle shows Home of the Year, returns for its 12th series and will be proudly sponsored by SIRO. The brand-new series will ai...
27/02/2026
Our Farm: A GIY Story lands on RT One and RT Player from March 3
From walled garden to community farm, new six-part series captures the unfiltered realities...
27/02/2026
Note: English version included below the Irish language version.
Seachtain na Gaeilge 2026 ar RT
A Ghaeilge mo cheol th '
T feachtas athnuaite i n...
26/02/2026
Rohde & Schwarz awarded contract by Israel Airports Authority for QPS201 securit...
26/02/2026
Rohde & Schwarz highlights its unique CMX500 one-box tester tailored for NTN tes...
26/02/2026
Rohde & Schwarz high-efficiency transmitter powers next-gen broadcast services i...
26/02/2026
Rohde & Schwarz highlights its comprehensive embedded systems test solutions at ...
26/02/2026
Rohde & Schwarz to showcase spectrum security and network efficiency solutions a...
26/02/2026
Rohde & Schwarz and Broadcom showcase first Wi-Fi 8 RF signaling tests, paving w...
26/02/2026
Rohde & Schwarz advances AI-RAN testing using digital twins with NVIDIA Rohde & Schwarz, in collaboration with NVIDIA, continues to drive AI-RAN innovation fo...
26/02/2026
Rohde & Schwarz and LITEON demonstrate high throughput 5G femtocell testing with...
26/02/2026
The agreement ensures Europe's satellite-based augmentation continues enhanc...
26/02/2026
There were two big wins for RT KIDS shows at the 17th Kidscreen Awards in San Diego this week with Maddie Triggs and BeddyByes both taking home gongs.
The K...
26/02/2026
26 Feb 2026
VEON to Release FY25 Earnings Update on March 13, 2026 Dubai and New York, February 26, 2026 - VEON Ltd. (NASDAQ: VEON), a global digital operator ...
26/02/2026
What can I watch on UKTV and stream on U this week?
This week's highlights include new episodes of Will and Ralf Should Know Better, The Marlow Murder Club...
26/02/2026
Thursday 26 February 2026
Sky partners with STARZ on high-impact boxing drama F...
26/02/2026
Thursday 26 February 2026
An Open Letter to Our Fellow Leaders in Global Media
From:
Tim Davie, BBC Director-General
Jon Slade, CEO, Financial Times
Anna B...
26/02/2026
Wuppertal February 26, 2026
Teatro alla Scala Elevates Backstage Communication with Riedel's BoleroRiedel Communications today announced that Fondazione T...
26/02/2026
RT has confirmed that it has today received payment from the GAA for its 50% share of GAAGO.
RT confirmed in February 2025 that it had agreed in principle wi...
26/02/2026
RT Statement regarding the broadcast of Republic of Ireland vs Israel Nations League fixture
If the match goes ahead and that is a decision for the FAI as ...
25/02/2026
It's never been easier to customize your Spotify listening experience. Last year, we introduced more control over the way your playlist sounds, giving Premi...
25/02/2026
Hip-hop thrives on constant reinvention, with bold voices and fearless experimentation continually pushing the genre's boundaries. Every era brings new lead...
25/02/2026
In 2025, Magyar Telekom continued the consistent execution of its long-term stra...
25/02/2026
Joe Wilkinson and Joe Marler reunite for a tongue-in-cheek campaign exploring the hilarious extremes of modern loveWednesday 25 February 2026
Mix Tapes to Vide...
25/02/2026
Harmonic's XOS Advanced Media Processor Leverages AI-Powered Encoding to Deliver Exceptional Video Quality to Alcom Customers SAN JOSE, Calif. - Feb. 25, 2...
24/02/2026
Life needs music. So does the afterlife. That's why Spotify has partnered wi...
24/02/2026
Last weekend, S o Paulo buzzed with energy as Bad Bunny took the stage for two n...
24/02/2026
eds3_5_jq(document).ready(function($) { $(#eds_sliderM519).chameleonSlider_2_1({...
24/02/2026
Paul C. Brunson: Red Flag to be produced by FirstLookTV and launch in 2026
UKTV...
24/02/2026
This year, we're back at the Media Production and Technology Show (MPTS) in London. As always, we're looking forward to catching up with existing contac...
24/02/2026
We are pleased to announce that Pete Whiteway is joining the dB Technology Group as a Senior Systems Engineer. Pete brings over 20 years of experience in broadc...
24/02/2026
End-to-End Transparency in the Supply Chain You Can Touch
The team at LogiMAT 2025 - from left: Michael Dreimann, Andr Haff, Nicolas Lapp, Bernd Jaschinski-...
24/02/2026
Katharine Wolinska appointed to lead Partnerships
RT Commercial has announced ...
23/02/2026
Prompted Playlist is expanding in beta to Premium listeners in the U.K., Ireland...
23/02/2026
When Spotify launched in Nigeria in February 2021, the very first song a user st...
23/02/2026
aconnic AG (ISIN: DE000A0LBKW6), Munich, will present its latest cybersecurity, ...
23/02/2026
X-Rite Pantone Launches Event Series to Modernize Textile Color Workflows
X-Rite Pantone, the global authority in color standards and color science, today a...
23/02/2026
Audience peak of over a million on RT 2 as Ireland beat England in the Six Natio...
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
