Spotify has paid out over $142,000 to helpful hackers to help keep its app and site secure.
With over 232 million monthly active users, Spotify has a lot of data to keep safe. The HackerOne bug bounty program reveals Spotify has paid out over $142,000 since May 2017. Before that, the platform relied on reports to a security email inbox for external security tips.
Spotify accepts security reports from hackers via the platform. The issue can then be checked and added to Spotify’s own internal bug tracker based on severity. Spotify’s bug resolution time is now around 24 days from disclosure to fix deployment. After the fix is deployed, hackers are paid a bounty whose value is based on the severity of the issue reported.
Severity scoring for Spotify’s bug bounty uses the Common Vulnerability Scoring System. Spotify has resolved over 416 reports since switching to the HackerOne platform in 2017. The average bounty payout is $300, but stop of the top bounty payouts range from $875-$3,000.
Spotify encourages responsible disclosure of bugs and security vulnerabilities of its platform. But it does ask hackers to be respectful of its end users. On the bug bounty page, there’s a list of things the company asks hackers explicitly not to do. These include:
- Do not attack accounts belonging to an end-user.
- Don’t run automated scans without checking first.
- Do not test the physical security of Spotify offices.
- Don’t test using social engineering techniques like phishing.
- Do not perform DDoS attacks.
- Don’t engage in trade of stolen user credentials.
One interesting note buried in recent reporting is that Spotify admits the majority of vulnerability reports relate to sites that have been contracted out for development. The company is now working on a global Preferred Production Partner Program that uses security-focused standards for its partners. Spotify says the program also includes a set of expectations for vendors to respond to bug bounty program vulnerabilities.