Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Europe Stories
05/01/2027
Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be ...
06/09/2026
June 9 2026, 23:00 (PDT) Dolby and MagentaTV Bring Fans Closer to the FIFA Worl...
04/08/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
04/07/2026
April 7 2026, 19:00 (PDT) Detective Conan: Fallen Angel of the Highway Opens in...
24/06/2026
Plus: VoiceAssist Basic now available to UA LUNA users
NoiseWorks Audio have just released an update that adds a new Mouth De-Click module to the Advanced t...
24/06/2026
New heavy-duty mic stand joins range
The latest arrival to Gator's Frameworks family introduces a new heavy-duty boom stand that's been designed for...
24/06/2026
Latest major plug-in update goes live
Waves have just announced that the latest major update for their hugely popular plug-in range is now officially availa...
24/06/2026
When assessing cellular coverage, many people look at the signal bars displayed on a smartphone, router or modem. More bars are often assumed to mean better per...
24/06/2026
Rohde & Schwarz THORIS sets new standard for counter UAS defense At Eurosatory 2026, Rohde & Schwarz is unveiling THORIS, a German engineered, sovereign count...
24/06/2026
Rohde & Schwarz expands voice communications modernization program for Egyptian ...
24/06/2026
eds3_5_jq(document).ready(function($) { $(#eds_sliderM519).chameleonSlider_2_1({...
24/06/2026
X-Rite Pantone Adds MSI PRO MAX Displays to Pantone Validated Program for Proven...
24/06/2026
24th June 2026, London: Dara Briain will host brand new comedy entertainment series Dara's Dull Appreciation Society (4x40') celebrating members of th...
24/06/2026
Wednesday 24 June 2026
Sky reveals wild new trailer and images for Shaun the Sh...
24/06/2026
Comscore Announces Partnership with Amazon DSP to Expand Content Addressability ...
24/06/2026
From Cork to Limerick to Earagail:
RT is supporting 21 Arts and Cultural Events all over Ireland this July
RT Supporting the Arts is delighted to spotlight...
23/06/2026
128 channels of signal routing & DSP
Announced just before the NAMM Show 2026, Violet Audio's latest digital audio matrix offers 128 channels of signal ...
23/06/2026
Latest Current expansion created by EPROM
Minimal Audio have just launched the latest Current Expansion, Memory Rites. Designed in collaboration with renown...
23/06/2026
Popular hardware EQ gets official plug-in emulation
Undertone Audio have just launched a new plug-in that brings one of their most popular hardware designs ...
23/06/2026
December 7, 2022
Colorfront (colorfront.com) - the multi-award-winning develope...
23/06/2026
April 23, 2026
NAB 2026, Las Vegas - the Academy and Emmy Award-winning develop...
23/06/2026
23rd June 2026, London: UKTV and BBC Entertainment have unveiled a joint co-comm...
23/06/2026
Also starring Jonny Lee Miller, Sheldon Shepherd and Bel Powley, the ambitious f...
23/06/2026
The priority now is a clear and credible plan
June 23, 2026, Winchester, UK - Arqiva, the UK's leading communications infrastructure provider, welcomes tod...
23/06/2026
The RT Toy Show Appeal has raised over 31 million since its inception in 2020 ...
22/06/2026
New hyper-resolution analyser EQ revealed
CEDAR Audio's all-new Icons plug-in series has just gained its newest member, Blade. Described by the compan...
22/06/2026
Turn any live input into a cinematic soundscape
Designed for use in the studio and on stage, Sampleson's latest creation is capable of taking any audio ...
22/06/2026
Adds guitar strings to Eurorack rigs
ADDAC System are renowned for their weird and wonderful synth designs, and their line-up includes plenty of gear that&#...
22/06/2026
In our latest blog, Tim Pearson explores NAGRA Venturi, the new streaming security solution for the AI era from NAGRAVISION. Designed to aggregate and analyze ...
22/06/2026
Monday 22 June 2026
Official trailer released for Katie Price: Nothing to Hide,...
21/06/2026
New series now live on Udemy
Regular SOS contributor and Cubase workshop columnist John Walden has just released a new Cubase video course that is now avail...
21/06/2026
Sunday 21 June 2026
Sky announces immersive documentary series The Wargame
The Wargame first looks
ZIP (2MB)
Sky today confirms the commission of The Wargam...
20/06/2026
New add-on creates doubles & vocal stacks
IK Multimedia's latest ReSing add-on kits the innovative software out with the ability to automatically genera...
19/06/2026
Company launch comprehensive mix-comparison tool
The Him DSP are a plug-in company founded by The Him, an EDM DJ and producer who has amassed over half a bi...
19/06/2026
Major Sampler upgrades introduced
The latest version of Bitwig's DAW software has just entered public beta testing, and is available now for all users w...
19/06/2026
Four times the power of their predecessors
Akai Pro have just introduced upgraded versions of two of their popular standalone MPC systems, kitting them out ...
19/06/2026
Friday 19 June 2026
How to watch the 2026/27 Premier League season on Sky Sports
Which matches are Sky Sports showing on the 2026/27 Premier League opening we...
19/06/2026
Catch up on the latest developments across Baselight and Daylight v7, Nara and FilmLight API Wednesday 8 July, 5pm onwards
Firehouse: DCTV, 87 Lafayette St, Ne...
18/06/2026
Improvements & new IR content
iamReverb Audio have just launched a free update that kits their convolution reverb plug-in out with some new features and int...
18/06/2026
Modelling suite gains improved captures, iOS support & more
Two notes Audio Engineering have just announced the launch of Genome 2.0, a significant update t...
18/06/2026
New AI assistance feature, video overhaul & more
VSL have just announced the launch of Vienna Ensemble Pro 8.1 and 8.1V, a pair of major updates to their ev...
18/06/2026
New study reveals 10 hidden data drainers costing Brits hundreds abroad - and the holiday hotspots where you could get rinsed the mostThursday 18 June 2026
The...
18/06/2026
Thursday 18 June 2026
How to watch the 2026/27 Scottish Premiership season on Sky Sports
Which matches are Sky Sports showing on the 2026/27 Scottish Premiers...
18/06/2026
Thursday 18 June 2026
Sky Sale: Latest deals now on, with discounts on iPhone Air & 2.5Gbps speeds
The latest deals have dropped from Sky Mobile, the award-wi...
18/06/2026
FOX Advertising and Toonstar Team to Create New Opportunities for Brands in Digi...
18/06/2026
Arqiva's Crawley Court and Chalfont Grove teleports re-certified at highest World Teleport Association standard
18 June 2026, Winchester, UK - Arqiva, the ...
18/06/2026
Apple today announced changes impacting iOS apps in Brazil that reflect a recent agreement with Brazil's competition regulator, the Conselho Administrativo ...
17/06/2026
New features, changes & bug fixes
SoundBridge have just released another update for their remote collaboration-focused DAW - reviewed here in SOS March 2026...
17/06/2026
Valve-based front end for digital & modelling rigs
The latest addition to Fryette's product range delivers a packed-down, pedalboard-friendly version of...
17/06/2026
GearExpo UK - 27 June 2026
Sound On Sound are proud to announce GearExpo UK, a major new recording and music technology exhibition in London! This is the bi...
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
