BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

New ‘Dangerous’ iPhone Spyware Attack Warning Issued To iOS Users
Google’s New Update Just Made Android More Like iPhone
Google Issues Critical Update For 2 Billion Chrome Users
LastPass Master Password Threat Confirmed—Don’t Press 1 Or 2
Exploring New Worlds: ‘Deep Sky’ And The Search For Life With The JWST
Cisco Looks To Redefine Cybersecurity With Cisco Hypershield
Edit Story
ForbesInnovationCybersecurity
Editors' Pick

Spotify Pays Hackers $120,000

Davey Winder
Senior Contributor
Opinions expressed by Forbes Contributors are their own.
Veteran cybersecurity and tech analyst, journalist, hacker, author
Following
This article is more than 4 years old.


Audio streaming supremo Spotify has 232 million active monthly users, more than 50 million music tracks and 450,000 podcast titles. Oh yes, and a "Priority 0" policy when it comes to security which has seen $120,000 (£97,000) being paid to hackers.

Why Spotify pays hackers to help keep it secure

Before moving to the HackerOne bug bounty platform in May 2017, Spotify relied upon emails to a "security" mailbox or personal contacts of the Spotify security team to find out about vulnerabilities. Unsurprisingly, it didn't receive a massive number of reports this way and managing them by hand wasn't going to scale. Since then, however, things have changed.

Now hackers can submit a report to Spotify via HackerOne, where they can be triaged for scope, validity and severity. Those vulnerabilities that are valid get forwarded to the Spotify security team who work with the development team to resolve the issue. By adopting a "Priority 0" approach to site reliability and security, Spotify now has an average time to resolution of 24 days from when a vulnerability is disclosed to a fix being implemented. Once that fix is deployed, the hacker gets paid the relevant bounty commensurate with the severity of the report. The severity scoring is based upon the industry-standard Common Vulnerability Scoring System (CVSS.)

To date, Spotify has paid $120,000 (£97,000) in bounties through the HackerOne platform, for more than 365 valid and actionable reports. According to the Spotify program page at HackerOne, the average bounty payout is $300 (£243) and "the highest we’ve rewarded has been $2500 in a few instances," says Nathan Ferch, site reliability engineering and security manager at Spotify. It takes, on average, just 18 days for the researcher to get their payment after the first disclosure.

MORE FOR YOU

One Of The Best TV Shows Ever Made Sets Sail On Netflix Today For The Very First Time

Apple Watch Series 9 Hits All Time Low Special Offer Price

What To Watch This Weekend: New TV Shows And Movies To Stream On Netflix, Hulu, Prime Video And More

The Spotify and HackerOne secure partnership

"HackerOne brings insight into what motivates hackers and has worked for similar programs," Ferch says, "Spotify brings its knowledge of the product, engineering teams, and intuition about where undiscovered vulnerabilities might lie." The first outcome of this partnership, Ferch tells me, was to improve the quality of analytics and "solicit feedback from our most frequent submitters to understand what motivates them and what else we could offer program-wise."

The collaboration certainly seems to be working. Apart from when enough users said that Spotify had reset their account passwords "due to detected suspicious activity," for Zack Whittaker to investigate at TechCrunch, Spotify has been noticeable by its absence from the data breach headlines. Whittaker reported at the time "Spotify says this is a credential stuffing attack, where hackers take lists of usernames and passwords from other breached sites and brute-force their way into other accounts." So even this was a sign of good security posture, rather than weak security implementation.

A very close shave

There have, however, been near misses. Spotify revealed how it was told of a series of information disclosure vulnerabilities for "one of our highly visible websites," which meant "Spotify employee’s credentials, including several high-profile employees, were insufficiently protected." Those credentials were not used for other systems, but database credentials, API keys, source code, and additional sensitive information could be trivially downloaded. "We kicked off a security investigation, involving our security, legal, and data privacy teams," Spotify said, "after a thorough investigation, we were confident that this vulnerability had not been previously exploited, and we could let out a collective sigh of relief." In the end, payments of $3,000 (£2,434) in bounties were all it took to protect the Spotify reputation from harm.

Spotify follows ‘Golden Paths’ to secure development

Spotify has thousands of engineers and uses what it calls "Golden Paths" to build products. These enable those engineers to develop and deploy code safely at scale. The bug bounty program has shown Spotify that the more a development team sticks to the Golden Path, the less likely it is that a vulnerability will be reported after deployment.

Of course, not all development is in-house, and Spotify admits that the majority of the vulnerability reports it receives relate to sites that have been contracted out for development, or through companies that Spotify has acquired, which is why it is developing the "Global Preferred Production Partner Program" that uses a security-focused set of standards and runtime environments in a similar way to the Golden Path. "It also includes a set of expectations for vendors," Spotify said, "that helps us ensure we can rapidly and effectively respond and correct vulnerabilities that are reported to us through the bug bounty program."

Follow me on Twitter or LinkedInCheck out my website or some of my other work here
Davey Winder
Davey Winder