Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Europe Stories
05/01/2027
Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be ...
06/09/2026
June 9 2026, 23:00 (PDT) Dolby and MagentaTV Bring Fans Closer to the FIFA Worl...
04/08/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
04/07/2026
April 7 2026, 19:00 (PDT) Detective Conan: Fallen Angel of the Highway Opens in...
18/06/2026
Improvements & new IR content
iamReverb Audio have just launched a free update that kits their convolution reverb plug-in out with some new features and int...
18/06/2026
Modelling suite gains improved captures, iOS support & more
Two notes Audio Engineering have just announced the launch of Genome 2.0, a significant update t...
18/06/2026
New AI assistance feature, video overhaul & more
VSL have just announced the launch of Vienna Ensemble Pro 8.1 and 8.1V, a pair of major updates to their ev...
18/06/2026
New study reveals 10 hidden data drainers costing Brits hundreds abroad - and the holiday hotspots where you could get rinsed the mostThursday 18 June 2026
The...
18/06/2026
Thursday 18 June 2026
How to watch the 2026/27 Scottish Premiership season on Sky Sports
Which matches are Sky Sports showing on the 2026/27 Scottish Premiers...
18/06/2026
Thursday 18 June 2026
Sky Sale: Latest deals now on, with discounts on iPhone Air & 2.5Gbps speeds
The latest deals have dropped from Sky Mobile, the award-wi...
18/06/2026
FOX Advertising and Toonstar Team to Create New Opportunities for Brands in Digi...
18/06/2026
Arqiva's Crawley Court and Chalfont Grove teleports re-certified at highest World Teleport Association standard
18 June 2026, Winchester, UK - Arqiva, the ...
18/06/2026
Apple today announced changes impacting iOS apps in Brazil that reflect a recent agreement with Brazil's competition regulator, the Conselho Administrativo ...
17/06/2026
New features, changes & bug fixes
SoundBridge have just released another update for their remote collaboration-focused DAW - reviewed here in SOS March 2026...
17/06/2026
Valve-based front end for digital & modelling rigs
The latest addition to Fryette's product range delivers a packed-down, pedalboard-friendly version of...
17/06/2026
GearExpo UK - 27 June 2026
Sound On Sound are proud to announce GearExpo UK, a major new recording and music technology exhibition in London! This is the bi...
17/06/2026
SAM monitoring line-up gains Dante and AES67 support
The latest expansion of Genelec's UNIO monitoring ecosystem introduces a new device that provides D...
17/06/2026
The R&S PR300 portable receiver from Rohde & Schwarz sets new standards in spect...
17/06/2026
Elt Group and Rohde & Schwarz sign a cooperation agreement to explore commercial...
17/06/2026
Wednesday 17 June 2026
Two in three fans will connect to venue WiFi this World ...
17/06/2026
Transaction Positions Harmonic as a Pure-Play Broadband Company SAN JOSE, Calif. - June 17, 2026 - Harmonic Inc. (NASDAQ: HLIT), the worldwide leader in virtual...
17/06/2026
FOX Advertising To Launch Industry's First End-to-End Agentic Advertising Pl...
17/06/2026
How SGN is future-proofing critical national infrastructure with Arqiva Managed Connectivity.
When disruption becomes the norm As Storm Eunice tore across the ...
17/06/2026
The RT Concert Orchestra will bring the timeless music of The Beach Boys to aud...
16/06/2026
Thomson's highly regarded expert-led online learning courses are now easier to access on the go via our new App.
Available now on Google Play Store, the J...
16/06/2026
Boasts individual synths for each band
UVI's latest synth takes an interesting approach to synthesis, offering a trio of synth engines that each operate...
16/06/2026
New intelligent auto-fader plug-in unveiled
PSPaudioware's latest release offers automatic level adjustment and provides more detailed control than many...
16/06/2026
New performance-focused library announced
Crystal Pads is the latest addition to The Crow Hill Company's ever-growing product range, and according to th...
16/06/2026
Developed in partnership with Sequential
In recent years, GForce Software have branched into official emulations of classic hardware synths, delivering a ha...
16/06/2026
Designed specifically for live performance monitoring
beyerdynamic's latest announcement sees the company introduce an affordable in-ear monitoring syst...
16/06/2026
Official emulation celebrates iconic synth's 40th anniversary
Cherry Audio have just introduced Ensoniq ESQ-1, an official recreation of the 1986 polyph...
16/06/2026
Rohde & Schwarz achieves highest number of GCF validated 3GPP NR NTN test cases ...
16/06/2026
Bydgoszcz to Become a Local Centre of Excellence for Advanced Rail Technologies....
16/06/2026
Tuesday 16 June 2026
Record audiences tune in for opening weekend of ICC Women&...
15/06/2026
Innovative three-band soft synth introduced
UVI's latest synth takes an interesting approach to synthesis, offering a trio of synth engines that each op...
15/06/2026
Applications now open for 2026
The Oram Awards have returned for 2026 to celebrate the unusual, unique and unfiltered creative worlds of women and gender-di...
15/06/2026
New intelligent auto-fader plug-in revealed
PSPaudioware's latest release offers automatic level adjustment and provides more detailed control than many...
15/06/2026
Greater Manchester Police installs Rohde & Schwarz security scanner for custody ...
15/06/2026
Insights from NAGRAVISION's latest industry webinar featuring One Hungary, Liberty Global and Media Press Group
In this blog, Laura Rognoni explores the k...
15/06/2026
** MEDIA ALERT **
First-Ever Official Studio Ghibli Store Opens in the U.S.
Fans Can Step Into the World of My Neighbor Totoro, Kiki's Delivery Servic...
15/06/2026
Monday 15 June 2026
Sky News takes viewers inside Minab in new film investigati...
15/06/2026
Fox Corporation to Acquire Roku, Inc. Combination Creates a Scaled Media and Technology Platform with Superior Reach, Engagement and Monetization Capability
...
14/06/2026
Library captures 1960s R&B/pop drum sound
Following on from their recent wave of plug-in effects, Iconic Instruments have just launched an all-new virtual d...
13/06/2026
Latest expansion pack includes 252 presets
Devious Machines have recently introduced another expansion for their powerful multi-effects plug-in, Infiltrator...
13/06/2026
Create custom DAW/plug-in controllers using prompts
MetaGrid have recently introduced an all-new AI Builder function to their touchscreen-based control surf...
12/06/2026
Simple Steps to Better Acoustics - Taming The Small Room
Most of us mix in spare rooms and small spaces, where the acoustics fight us at every turn. At Gear...
12/06/2026
Latest addition expands vintage-inspired effects palette
Meris' Ottobit pedal range draws its inspiration from vintage gaming consoles, and the latest a...
12/06/2026
Soundbox-based chamber strings series expanded
Sonora Cinematic have just announced the launch of the second instalment in their Soundbox-based chamber stri...
12/06/2026
With John Daro, DI Colourist at Warner Bros. Water Tower Color Tuesday 23 June, 10am-1pm or 3-6pm
Restar Corporation
Tokyo
Register here
John Daro is the ...
12/06/2026
Meet The Grumpy Onion Ireland's newest online sensation, all he wants is to ...
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
