|Scope Type||Scope Name|
|other||Please use this asset for non *.spotify.com websites. This includes sites in the domans forspotify.com, tospotify.com, fromspotify.com and atspotify.com.|
|undefined||Spotify desktop application (Windows and Mac)|
Out of Scope
|Scope Type||Scope Name|
We have added assets for Gimlet Media into scope for our Bug Bounty Program. Spotify acquired Gimlet Media in February 2019. Sites in the *.gimletmedia.com domain are now eligible for our Bug Bounty Program.
We're big believers in protecting your privacy and security. As a
company, we not only have a vested interest, but also a deep desire to see the
Internet remain as safe as possible for us all.
So, needless to say, we take security issues very seriously.
In our opinion, the practice of 'responsible disclosure' is the best way to safeguard the Internet. It allows individuals to notify companies like Spotify of any security threats before going public with the information. This gives us a fighting chance to resolve the problem before the criminally-minded become aware of it.
Responsible disclosure is the industry best practice , and we recommend it as a procedure to anyone researching security vulnerabilities.
We are interested in hearing about security issues on all Spotify properties, including our client software, SDKs and web services hosted domains owned by Spotify.
To be eligible for a reward, note that we typically require the issue report to have some actual security impact in a realistic scenario. This does not mean you need to fully exploit issues. Simply provide the information you have, and we will analyze your report and draw conclusions on the impact. If you have found multiple vulnerabilities to report, report each one separately, for tracking and payment purposes. If you have a vulnerability to report that depends on chaining, report each link in the chain separately, and then a report for the whole chain. Expect that we will use reports to search for other instances of the same vulnerability class. Reports are not eligible for additional or higher payment when we find and fix other, unreported instances.
We are interested in hearing about security issues on all Spotify properties, including our client software, SDKs and web services hosted on domains owned by Spotify.
Certain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.
You can find more details in the Structured Scope Section below. Unless specified, companies acquired by Spotify are not in scope.
The following finding types are specifically excluded from the bounty:
Out of Scope bugs for Android apps
Out of Scope bugs for iOS apps
HackerOne's Disclosure Guidelines shall not apply when participating in a Spotify program. Instead, we ask you to abide by the following Spotify Disclosure Guidelines: