Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
At Spotify, we're committed to protecting our information, as well as yours. So two years ago we began using the HackerOne platform for our bug bounty program. Now, we're looking back on successes and learnings that will continue to help improve the program at Spotify.
Want to learn more? We've broken it down into six frequently asked questions.
1. First off, what is a bug bounty program? There are ethical and responsible security researchers who discover weaknesses via the same tactics and tools used by hackers. They report these weaknesses to site owners, so that they can be fixed before others can use them for malicious purposes. Bug bounty programs exist to make it easier for security researchers to report these weaknesses to site owners. As a token of gratitude, the site owners often reward money or swag to the researchers for their efforts.
2. When and why did Spotify start a bug bounty program? Our Security team launched its bug bounty program in 2015, when we were a very small team that occasionally received vulnerability reports from researchers responsibly disclosing bugs. Although we didn't receive a huge number of reports, it was clear that managing them by hand, primarily through email, would prove difficult. During that time, we had been rewarding reports with any swag we happened to have on hand, or giving them credit on our wall of fame at https://www.spotify.com/bounty/. However, because this work and reporting was so crucial, we wanted to start giving cash for bug submissions.
In May 2017, we moved our bug bounty program onto HackerOne, a leading cybersecurity bug bounty platform, to take advantage of their platform and managed services. We now accept bug bounty reports at https://hackerone.com/spotify. From there, the HackerOne team reviews the report for validity and severity, then loops in our Spotify Security team. Then, we're able to work together to find a resolution and reward the security researcher who found the bug in the first place.
3. What are some of the benefits of using HackerOne? Since we started using the HackerOne platform and managed services, we've received over 365 valid and actionable reports and rewarded over $120,000 to security researchers for their efforts.
4. What sort of problems have been reported? We receive the largest amount of reports on our most visible websites, www.spotify.com and community.spotify.com, but also receive reports on our mobile applications, desktop applications, and other apps and software.
One other area where we face challenges is with partner development. The reports we get here are for sites that Spotify has contracted to have built, or companies that Spotify has acquired that didn't have the benefit of being developed with the same security protocols in place.
5. Why is finding these vulnerabilities such a big deal? If the vulnerabilities mentioned above were to be discovered by a malicious actor, our websites or apps could be attacked, thus harming the brand and reputation of Spotify. Or, the credentials could be used for lateral movement or in a phishing attack. None of this is good for us or our users.
6. So what's the next step for security at Spotify? As mentioned, a lot of reports come regarding sites developed by our partner developers. So to help them, we're developing something we call the Global Preferred Production Partner Program. It's a security-focused set of standards and runtime environments for Partner Developers outside of Spotify. It also includes a set of expectations for vendors that help us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program.
So far, working with HackerOne has raised security awareness within our engineering organization, exposed weaknesses in our security posture, and helped us better understand our attack surface. Even if you have no experience in bug hunting, check out our program page at https://hackerone.com/spotify. We think there are always opportunities to make our security stronger.
Europe Stories
05/01/2027
Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be ...
04/08/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
04/07/2026
April 7 2026, 19:00 (PDT) Detective Conan: Fallen Angel of the Highway Opens in...
01/06/2026
January 6 2026, 05:30 (PST) Dolby Sets the New Standard for Premium Entertainment at CES 2026
Throughout the week, Dolby brings to life the latest innovatio...
02/05/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
01/05/2026
January 5 2026, 18:30 (PST) NBCUniversal's Peacock to Be First Streamer to ...
30/04/2026
Rian na Fola airs on RT One and RT Player on Monday May 4
Rian na Fola is a o...
29/04/2026
Combines EQ and harmonic distortion
Techivation's latest release is a simple EQ designed to offer quick control over a source's overall tonal balanc...
29/04/2026
Two new MPE controllers announced
Expressive E caused quite a stir when they released the Osmose, making the sort of expression that was once reserved for p...
29/04/2026
New modules & enhanced machine-learning
The latest version of iZotope's flagship restoration suite is now available, and now offers over 50 tools design...
29/04/2026
Voting opens at 4pm today
RT 's Today show have announced the eight finalists for their TV Home Cook competition. Amateur cooks from Cork, Dublin, Galway ...
29/04/2026
29 Apr 2026
VEON and Kyivstar Fulfill Commitment to Invest USD 1 Billion in Ukr...
29/04/2026
Rhod Gilbert, Harriet Kemsley, Kae Kurd, Sara Pascoe and Vicki Pattison to take part in brand new series on free streaming service U
London, 29th April 2026: F...
29/04/2026
Wednesday 29 April 2026
Katie Price: Nothing to Hide, a Sky Original documentar...
29/04/2026
Re-examining the case of Ellie Williams and the wider story of grooming in the town of BarrowWednesday 29 April 2026
Sky announces upcoming documentary series ...
29/04/2026
Wednesday 29 April 2026
Jennifer Garner to lead an all-star cast in new Sky Exc...
29/04/2026
Students and staff from Hills Road Sixth Form College in Cambridge ran a 4.5km course around the roads of Cambridge as part of their annual programme of sustain...
29/04/2026
The Dawn Chorus airs Sunday 3 May from midnight to 7am on RT Radio 1 and RT ly...
28/04/2026
Today, we announced our First Quarter 2026 earnings, starting the Year of Raising Ambition with strong momentum across the business and continued innovation acr...
28/04/2026
I dag presenterade vi v rt resultat f r det f rsta kvartalet 2026. Vi inleder ret med starkt momentum i hela verksamheten och fortsatt innovation p plattforme...
28/04/2026
New handheld promises studio performance for the stage
Mojave have just introduced a new live-focused handheld vocal mic created by award-winning designer D...
28/04/2026
Max for Live device offers AI-powered stem separation
Dynamic Split Module (DSM) is a new Max for Live device created by Ostin Solo, a developer and musican...
28/04/2026
First interface equipped with ISA preamps
Focusrite have just announced the launch of a new high-end audio interface that features a pair of their legendary...
28/04/2026
In 2023, Norwegian climber Kristin Harila set out to break a mountaineering reco...
28/04/2026
RT News is pleased to announce the appointment of Sean Whelan as its new London Correspondent.
Sean has held the role of Washington Correspondent for the last...
28/04/2026
Joseph O'Connor, Eileen Walsh, Louise Duffy, Mick Lynch, Gormfhlaith N Thuairisg and Dermot Bannon take a personal look at life 100yrs ago in new TV docume...
27/04/2026
N r Spotify grundades f r 20 r sedan dominerades musikmarknaden av illegal nedladdning. Sedan dess har streaming bidragit till att teruppr tta betalningsvilja...
27/04/2026
Time on Spotify should feel meaningful and intentional, not something that slips...
27/04/2026
New modular multi-effects plug-in revealed
The latest plug-in from Brainworx delivers a modular set of effects designed to offer a convenient alternative to...
27/04/2026
Kit includes supercardioid & shotgun capsules
High-end mic manufacturer Schoeps have recently introduced another member of their Desert Island Set family. O...
27/04/2026
LA2A-inspired 500-series module arrives
Sound Skulptor have announced the upcoming launch of a new 500-series module that aims to recreate one of the most p...
27/04/2026
SSL-inspired compressor unit upgraded
Stam Audio are well known for their painstaking recreations of vintage audio gear, with their extensive product range ...
27/04/2026
Red Seat Ventures Announces Exclusive Multiyear Partnership with Kill Tony The Company is the New Monetization and Distribution Home for the Globally Popula...
27/04/2026
RT 2FM is calling on aspiring DJs across Ireland to take their shot at the spot...
27/04/2026
RT continues to champion Ireland's creative life this May, supporting a broad range of festivals, exhibitions and performances across music, theatre, liter...
25/04/2026
In the heart of Mexico City, music, culture, and fashion converged last night as Spotify and Vogue Latin America welcomed guests to an intimate gathering at Soh...
25/04/2026
New modular multi-effects plug-in revealed
The latest plug-in from Brainworx delivers a modular set of effects designed to offer a convenient alternative to...
24/04/2026
Earth Day is a chance to reflect on our connection to the natural world. To mark the 57th Earth Day on April 22, Spotify's editors have pulled together a co...
24/04/2026
This past weekend, Spotify was at the heart of the largest literary event in the...
24/04/2026
All data tells a story, and in our case, that story is written by you. To celebrate 20 years of Spotify, we're sharing bite sized moments that capture how t...
24/04/2026
Over the past 20 years, Spotify's look and feel has evolved with the way people use our platform, while ensuring we preserve an intuitive, personal, and fam...
24/04/2026
It's been 20 years since Spotify began, but the real story is what the world chose to play. For the first time, we're unveiling the most streamed artist...
24/04/2026
Whether you're relaxing at home or on the go, Spotify is there across more than 2,000 devices, ready with your favorites or something new to discover. Now, ...
24/04/2026
Nintendo and Spotify are welcoming fans to the Super Mario Bros. 40th anniversary and the release of The Super Mario Galaxy Movie with new playlists and a speci...
24/04/2026
30 October - 1 November 2026
The Audio Engineering Society (AES) have announced that the AES Show 2026 will be held on Halloween weekend - Friday 30 October...
24/04/2026
New closed-back design promises honest' low end
Sennheiser have just announced the launch of a new pair of flagship closed-back headphones which they s...
24/04/2026
Powerful 12-channel hardware sequencer announced
Cre8audio are renowned for their innovative, and often visually striking, designs and although their latest...
24/04/2026
Room correction now supports full 9.1.6 Dolby Atmos setups
The software element of IK Multimedia's room-correction system has just received an update th...
24/04/2026
New content for BBO Tutti & BBO Riffs
VSL have recently introduced some new free content expansions for two of their most popular Big Bang Orchestra Packs: ...
24/04/2026
Rohde & Schwarz to highlight its R&S EVSD1000 UAV-based navigation analyzer at I...
Streaming, and Spotify for that matter, couldn't have been made possible without the accessibility and connectivity of the Internet. Unfortunately, with that openness and interconnectedness, came malicious attackers who look to exploit weaknesses in web sites and applications.
