Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Europe Stories
05/01/2027
Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be ...
04/08/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
04/07/2026
April 7 2026, 19:00 (PDT) Detective Conan: Fallen Angel of the Highway Opens in...
01/06/2026
January 6 2026, 05:30 (PST) Dolby Sets the New Standard for Premium Entertainment at CES 2026
Throughout the week, Dolby brings to life the latest innovatio...
02/05/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
01/05/2026
January 5 2026, 18:30 (PST) NBCUniversal's Peacock to Be First Streamer to ...
17/04/2026
Versatile ribbon mic kit revealed
The latest arrival to the AEA line-up brings together three contrasting models from their Nuvo range, delivering a versati...
17/04/2026
Revealed following sold-out MPG Awards ceremony
Following another sold-out MPG Awards ceremony at The Troxy in London, the MPG have released a full list of ...
17/04/2026
17 Apr 2026
VEON to Release 1Q26 Earnings Update on May 13, 2026 Dubai and New York, April 17, 2026 - VEON Ltd. (Nasdaq: VEON), a global digital operator (toge...
16/04/2026
At Spotify, we want your experience to feel intuitive and personal across every moment of the day. Whether you're streaming your favorite playlist while you...
16/04/2026
Vintage broadcast experts release second plug-in
Telsie T is the second plug-in to be released by SonicWorld, a German audio company who specialise in servi...
16/04/2026
Compact unit offers hands-on plug-in control
Softube have just announced the launch of their latest hardware unit, the Flow Studio. Housed in a compact desk...
16/04/2026
Use any VST3 plug-in on immersive audio
Fiedler Audio have just released a powerful new plug-in wrapper that brings full VST3 processing to Dolby Atmos and ...
16/04/2026
Analysis plug-in gains enhanced frequency readouts
Nugen Audio's real-time analysis plug-in has just received a significant update that introduces some ...
16/04/2026
Recording & Music Technology Show
Sound On Sound are pleased to announce a new recording and music technology exhibition taking place in London on Saturday ...
16/04/2026
RTS Ireland Awards / Gradaim RTS 2026 Winners Announced
Awards hosted by RT | Presented by Louise Duffy & Aisling Bonner
Thursday, 16 April 2026 | Dublin Roy...
16/04/2026
Bookish is created, written by and starring Mark Gatiss, with series one available on Sky, Virgin Media and NOW
Praise for series one:
Daily Mail - 5****
The...
16/04/2026
Fox Corporation Names Amazon Web Services its Preferred AI Cloud Provider New York, NY and Los Angeles, CA - April 16, 2026 - Fox Corporation (Nasdaq: FOXA, F...
16/04/2026
The search for Ireland's newest country music star takes place live on Frida...
15/04/2026
From immersive storytelling to laugh-out-loud comedies, podcasts are booming in ...
15/04/2026
Books have always moved with us, whether tucked in our bags or humming in our he...
15/04/2026
For many artists, independent venues are where music careers begin and fan communities take shape. Independent venue operators work hard every day to keep local...
15/04/2026
From gripping thrillers to poignant memoirs, the 21st century has had no shortage of unforgettable books. To celebrate the standout storytelling of our modern e...
15/04/2026
Vintage broadcast experts release second plug-in
Telsie T is the second plug-in to be released by SonicWorld, a German audio company who specialise in servi...
15/04/2026
Includes eight free UAD plug-ins
Universal Audio's latest bundle brings together a selection of their renowned plug-ins and virtual instruments, and is ...
15/04/2026
Maximum uptime for broadcasters: Rohde & Schwarz launches R&S BroadcastShield at...
15/04/2026
aconnic AG (ISIN: DE000A0LBKW6), Munich, announces the market launch of the ACCE...
15/04/2026
April 15 2026, 13:34 (PDT) EVO Entertainment to Bring Dolby Vision Atmos Across Its EVX Auditoriums
Integration would cover 17 screens across Texas, New Mex...
15/04/2026
Wednesday 15 April 2026
Introducing Smart Home from Sky, a simple way to stay c...
15/04/2026
Wednesday 15 April 2026
The Burbs confirmed to return to Sky and NOW for a second season
Mystery-comedy series, The Burbs, will continue its exclusive resid...
15/04/2026
With new broadcast standards evolving all over the world and OTT streaming striving for the pole position in media consumption, both next-gen video and audio co...
15/04/2026
Harmonic's XOS Media Processor Delivers Exceptional Video Quality to More th...
15/04/2026
Five Decades of Box Office Intelligence: Comscore Celebrates 50 Years of Movie M...
15/04/2026
Two Cities Television and Keeper Pictures to produce six-part series in association with Screen Ireland for RT and ITV Studios
RT has commissioned Two Citie...
15/04/2026
RT 100
RT unveils The Signal' a specially commissioned 60-second film
...
14/04/2026
ToolsOnAir and Omnistream Bring Mobile SRT Contribution into Professional 24/7 P...
14/04/2026
Captures a trio of renowned polysynths
The latest software to join AIR Music Tech's extensive catalogue captures the sound of three sought-after polysyn...
14/04/2026
Free offering includes 10 powerful plug-ins
United Plugins have announced the launch of a new bundle that brings together 10 of their pro-audio plug-ins, an...
14/04/2026
Julian Coryell joins virtual session player line-up
Announced at NAMM 2026, Celemony's Tonalic kits DAW users out with real performances by world-class ...
14/04/2026
FOX Advertising Unveils New Brand Strategy and Identity Turn Passion into Perfo...
14/04/2026
Dalet, a leading technology and service provider for media-rich organizations, today announced the appointment of Brian Doheny as President and Chief Revenue Of...
14/04/2026
X-Rite Pantone Color Academy Grand Opening in Shanghai
On March 27, 2026, X-Rite Pantone, the global authority in color standards and color science, held the...
14/04/2026
14 Apr 2026
VEON and JazzWorld Receive Competition Commission of Pakistan Appro...
14/04/2026
Tuesday 14 April 2026
Nicola Coughlan and Aimee Lou Wood to host next two episo...
14/04/2026
Lead writer and executive producer Jack Lothian joins alongside lead director Je...
14/04/2026
Wuppertal April 14, 2026
Thomas Riedel Acquires Premium Manufacturer ARRIStrategic Alignment With the Riedel Group for Innovation and Growth
Thomas Riedel, f...
14/04/2026
New Service Simplifies Integration of AI Applications with Exceptional Reliabili...
14/04/2026
Luxembourg, April 14, 2026 - SES, a leading space solutions company, today annou...
13/04/2026
ToolsOnAir Composition Builder 2026 Boilerplate
More Details: The Composition Builder 2026 application for macOS enables TV stations and Live Event broadcast...
13/04/2026
ToolsOnAr just:live pro 2026 Boilerplate
More Details: just:live pro 2026 is a Multi-Channel Live Production Playout solution for video and static or real-ti...
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
