Spotify Has Paid Out Over $142K To Hackers ⁠— But Not Ransoms

  • Save

  • Save
Photo Credit: Unsplash

Spotify has paid out over $142,000 to helpful hackers to plug security holes.

With over 232 million monthly active users, Spotify is now a target for ransacking hackers.  Accordingly, the company is shifting its prevention strategies to include bounties for anyone who discovers an exploit.

That includes some handsome payouts.  The HackerOne bug bounty program reveals Spotify has paid out over $142,000 since May 2017. Before that, the platform relied on reports to a security email inbox for external security tips.

Spotify accepts security reports from hackers via the platform. The issue can then be checked and added to Spotify’s own internal bug tracker based on severity. Spotify’s bug resolution time is now around 24 days from disclosure to fix deployment. After the fix is deployed, hackers are paid a bounty whose value is based on the severity of the issue reported.

Severity scoring for Spotify’s bug bounty uses the Common Vulnerability Scoring System. Spotify has resolved over 416 reports since switching to the HackerOne platform in 2017. The average bounty payout is $300, but the top bounty payouts range from $875—$3,000.

Spotify encourages responsible disclosure of bugs and security vulnerabilities of its platform. But it does ask hackers to be respectful of its end users. On the bug bounty page, there’s a list of things the company asks hackers explicitly not to do. These include:

  • Do not attack accounts belonging to an end-user.
  • Don’t run automated scans without checking first.
  • Do not test the physical security of Spotify offices.
  • Don’t test using social engineering techniques like phishing.
  • Do not perform DDoS attacks.
  • Don’t engage in trade of stolen user credentials.

Of course, those types of breaches are exactly what black hat hackers enjoy, though Spotify is hoping that everyone plays by their rules.

One interesting note buried in recent reporting is that Spotify admits the majority of vulnerability reports relate to sites that have been contracted to outside firms for development. The company is now working on a global Preferred Production Partner Program that uses security-focused standards for its partners. Spotify says the program also includes a set of expectations for vendors to respond to bug bounty program vulnerabilities.