Hello, researcher!

We're big believers in protecting your privacy and security. As a company, we not only have a vested interest, but also a deep desire to see the Internet remain as safe as possible for us all.

So, needless to say, we take security issues very seriously.

Your Spotify account

For password and login problems, if you think your account has been “stolen”, or other issues with your Spotify account, please contact us using our contact form.

Spotting major security issues

If you have discovered a vulnerability in Spotify or another serious security issue, please contact our dedicated email support security@spotify.com.

Vulnerability rewards

Compensation

We are happy to receive good reports on security issues, and may sometimes reward good reports with monetary rewards, and/or swag. Please note that we do so at our sole discretion, any decisions on rewards are our decision.

Our monetary rewards, starting from $250, are based on the severity of the reported issue and the quality of the report. To help you know what to expect, we include some guidelines below. Please understand that we cannot provide an exhaustive list on exactly what will or will not qualify for a reward.

Responsible disclosure

In our opinion, the practice of “responsible disclosure” is the best way to safeguard the Internet. It allows individuals to notify companies like Spotify of any security threats before going public with the information. This gives us a fighting chance to resolve the problem before the criminally-minded become aware of it.

Responsible disclosure is the industry best practice, and we recommend it as a procedure to anyone researching security vulnerabilities.

Rules of engagement

We are interested in hearing about security issues on all Spotify properties, including our client software and web services hosted on spotify.com.

To be eligible for a reward, note that we typically require the issue report to have some actual security impact in a realistic scenario. This does not mean you need to fully exploit issues, just provide the information you have, and we will analyze your report and draw conclusions on the impact.

There are some things we explicitly ask you not to do:

  • When experimenting, please only attack test accounts you control. A PoC unnecessarily involving accounts of other end users or Spotify employee may be disqualified.
  • Do not run automated scans without checking with us first. They are often very noisy.
  • Do not test the physical security of Spotify offices, employees, equipment, et.c.
  • Do not test using social engineering techniques (phishing, vishing, et.c.)
  • Do not perform DoS or DDoS attacks.
  • In any way attack our end users, or engage in trade of stolen user credentials.

Low or no impact

We receive a large number of reports with low to no impact. We are happy to receive reports, but please be aware that these issues rarely constitute security issues, and thus are typically not rewarded:

  • Descriptive error messages
  • Testing the existence of registered username / email
  • Non-200 HTTP response codes
  • Clickjacking
  • Attacks requiring users to run out-of-date software
  • CSRF without impact (e.g., an anonymous contact form, or logout CSRF)
  • Lack of secure/httpOnly on non-sensitive cookies
  • Unvalidated claims that cookies or other secrets “may be guessable”
  • Browser cache issues
  • Attacks requiring access to a victim’s email account
  • Attacks requiring a large amount of user cooperation, such as volunteering critical information to the attacker.
  • Copy-pasted report of low impact issues from an automated scanner without sanity checking or analysis for relevance.

Credit where it's due

We'd like to publicly thank the following people for their help in reporting security issues to us. We're very grateful for their assistance.

Callum Carney
João Lucas Melo Brasio
Ava Vita Ciccarelli
Duncan Alderson
Matt Austin
Adrian Birsan
Sergiu Dragos Bogdan
Simon Bräuer
J Muhammed Gazzaly
Ali Hasan Ghauri
Brendan Jamieson
Jaanus Kääp
Abhinav Karnawat
Mathias Karlsson
Jaime Manteiga
Christian Lopez Martin
Andrei Miu
Vinayendra Nataraja
Andrei Neculaesei
Renato Rodrigues
Frans Rosén
Kamil Sevi
Muhammad Talha Khan
Veli-Pekka Vainio
Mohankumar Vengatachalam
Yasir Altaf Zargar
Robert Kugler
Karim Rahal
Alonso Vidales
Evan Ricafort