Bug Bounties

Spotify

Powered by: 

Allows bounty splitting: 

Average time to first program response: 10

Average time to bounty awarded null: 1348

Average time to report resolved: 1524

Handle spotify

Managed program: true

Name: Spotify

Offers bounties: true

Offers swag: false

Response efficiency percentage: 96

Submission state: open

Url: https://hackerone.com/spotify

Website: https://spotify.com

In scope:

  • Asset identifier: *.spotify.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: The spotify.com domain is used for product and corporate-focused websites. This includes, but is not limited to, the webplayer at http://play.spotify.com/, https://open.spotify.com/browse, and https://accounts.spotify.com Find below a list of in-scope targets. Note that it is continuously updated: ~~~ accounts-staging.spotify.com accounts.spotify.com ads.spotify.com artists.spotify.com atlas.spotify.com backstage.spotify.com canvas.spotify.com carthing.spotify.com certomato.spotify.com community.spotify.com content-relocation.spotify.com csat-support-help-page-mobile.spotify.com developer.spotify.com explore.spotify.com hrblog.spotify.com newsroom.spotify.com noteable.spotify.com open.spotify.com partner-accounts.spotify.com partner.spotify.com podcasters.spotify.com promo.spotify.com providers.spotify.com shelter.spotify.com shop.spotify.com sonar.spotify.com spotify.com stations.spotify.com support.spotify.com surveys.spotify.com takt.spotify.com uplink.spotify.com works.spotify.com
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: *.spotify.net
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Spotify websites in the *.spotify.net domain. The scope includes, but is not limited to: ~~~ harmony-doctor.spotify.net status.spotify.net
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: *.spotifyforbrands.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Websites in the *.spotifyforbrands.com domain. The scope includes, but is not limited to: ~~~
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: Anchor
  • Asset type: OTHER
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Anchor was acquired by Spotify in 2019.~~~ anchor.fm
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: Android SDK
  • Asset type: SOURCE_CODE
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: * https://developer.spotify.com/documentation/android/ * https://github.com/spotify/android-sdk
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: Backstage source code
  • Asset type: SOURCE_CODE
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: * https://github.com/spotify/backstage
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: Chartable
  • Asset type: OTHER
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Chartable was acquired by Spotify in Feb 2022. ** These targets are in scope: ** ``` "chartable.com" "link.chtbl.com" "ads.chtbl.com" ``` ** These targets are NOT in scope:** ``` "web.chtbl.com" "chtbl.com/track" ``` ~~~ ads.chtbl.com chartable.com link.chtbl.com
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: Gimlet
  • Asset type: OTHER
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Spotify acquired Gimlet Media in February 2019 Find below a list of in-scope targets. Note that it is continuously updated: ~~~ extraordinariesonthemic.com geistguest.com gimletmedia.com gimstaging.com thesecrettovictory.com
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: Greenroom Endpoints
  • Asset type: OTHER
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Greenroom (formerly Locker Room) was acquired by Spotify in March 2021. ** These targets are in scope: ** ``` "admin.betty.run" "auth.betty.run" "alb.betty.run" "disco.betty.run" "data.betty.run" "notif.betty.run" "query.betty.run" "recording.betty.run" "relation.betty.run" ``` * iOS app is found in io.bettylabs.Disco scope. * Android app is found in io.bettylabs.disco scope.
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: Loudr
  • Asset type: OTHER
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Loudr was acquired by Spotify in 2019. Find below a list of in-scope targets. Note that it is continuously updated: ~~~
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: Megaphone
  • Asset type: OTHER
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Megaphone was acquired by Spotify. Please be aware that following domains are OUT OF SCOPE: megaphone.fm cms.megaphone.fm developers.megaphone.fm feeds.megaphone.fm megaphone.cloud megaphone.link megaphone-staging.fm feeds.megaphone-staging.fm megaphone-staging.link panoply.fm audiol.ink audiometric.fm audiometric.io howdoilistentoapodcast.com howdoilistentopodcasts.com megal.ink megaphone-review.fm megaphone-review.link podcastchoices.com podcastsrule.com podl.ink thegriftpodcast.com theonwardproject.com tryapodcast.com trypodcasts.com **These targets are in scope** ~~~ cms.megaphone-staging.fm developers.megaphone-staging.fm
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: Niland
  • Asset type: OTHER
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Niland was acquired by Spotify in 2013. Find below a list of in-scope targets. Note that it is continuously updated: ~~~ niland.io
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: Other Spotify websites
  • Asset type: OTHER
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Please use this asset for non *.spotify.com websites. This includes sites in the domans forspotify.com, tospotify.com, fromspotify.com and atspotify.com. Find below a list of in-scope targets. Note that it is continuously updated: ~~~ 2020.byspotify.com 7-eleven.withspotify.com a1live.withspotify.com adidas-nitejogger.withspotify.com adidasultraboost21.withspotify.com adobe.withspotify.com ajtracey.withspotify.com allears-podcastsummit.byspotify.com allears.byspotify.com alpsea.byspotify.com amplifiher.byspotify.com audiohub.byspotify.com axahealth.withspotify.com blackhistoryisnow.com boniver.withspotify.com bts-be.withspotify.com californiaroadtrips.withspotify.com carnival.withspotify.com closetheplaygap.com cointreau.withspotify.com covid19musicrelief.byspotify.com culturenext.byspotify.com directory.byspotify.com duolovesongs.byspotify.com entrevoces.withspotify.com equalizer.byspotify.com equalizerproject.com escutaaasminas.byspotify.com explorethekidsapp.byspotify.com exxon.withspotify.com eyeofthestormers.com fanstudy.byspotify.com frontleftlive.withspotify.com frozen2.withspotify.com gousto.withspotify.com groupm.withspotify.com hotwire.withspotify.com huggies.withspotify.com indianpop.byspotify.com issa.website itzy.byspotify.com jameson.withspotify.com jord.withspotify.com laddabatterierna.withspotify.com leaocomgas.withspotify.com lifeatspotify.com listeningtogether.atspotify.com listenlocal.byspotify.com lokidisneyplus.withspotify.com loudandclear.byspotify.com lululemon.withspotify.com macoverjuliendore.withspotify.com magnumfielalplacer.withspotify.com maytag.withspotify.com mcdonalds.withspotify.com mentosbr.withspotify.com mikeshardseltzer.withspotify.com mmsmessages.withspotify.com motog100.withspotify.com mottsclamato.withspotify.com myfuture.withspotify.com ninemusesfestival.com paketaxomezclate.withspotify.com pepsiblackalmaximo.withspotify.com pets.byspotify.com play-portraits.com podcastcharts.byspotify.com podcastsummit.byspotify.com poddamnthatsfunny.com promocards.byspotify.com pumped.byspotify.com radaritalia.byspotify.com resources.byspotify.com reviewvault.com rhythmoflife.withspotify.com rnd.atspotify.com saiadarotina.withspotify.com sbsondemand.withspotify.com secretgenius.com sergegainsbourg.byspotify.com sierranevada.withspotify.com sierranevadaspark.withspotify.com singalong.byspotify.com sixthemusical.withspotify.com sonalytic.com soundtrackyourride.byspotify.com soundtrackyourworkout.byspotify.com spotify-change.com spotify-library.com spotify.design spotify.dev spotify.live spotify.stackenterprise.co spotifycharts.com spotifycodes.com spotifycs.my.salesforce.com spotifyforpartners.com spotifyforvendors.com spotifymusicmatchmaker.com spotifynewsroom.jp spotifyonstage.com spotifypodcastsummit.com spotifypremium.jp spotifyresonate.com spotifysoundcheck.com spotifyvault.com sprite.withspotify.com ssi.withspotify.com star-disneyplus.withspotify.com starbucksholiday.withspotify.com thanksgiving.withspotify.com theweeknd.withspotify.com timetoplayfair.com timhortons.withspotify.com ubykotex.withspotify.com visitmo.withspotify.com wishyouwerehere.atspotify.com xiaomi11.withspotify.com youraudiojourney.byspotify.com zerozerozero.withspotify.com zx2kpure.withspotify.com
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: Parcast
  • Asset type: OTHER
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Parcast was acquired by Spotify in 2016. Find below a list of in-scope targets. Note that it is continuously updated: ~~~ parcast.com
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: Podsights
  • Asset type: OTHER
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Podsights was acquired by Spotify in February 2022. ** These targets are in scope: ** ``` admin.podsights.com api.pdst.fm cdn.pdst.fm dash.podsights.com metarouter.pdst.io pdst.fm ping.pdst.fm pod.link podcast-graph-dot-adaptive-growth.appspot.com podsights.com sink.pdst.fm ```~~~ admin.podsights.com api.pdst.fm cdn.pdst.fm dash.podsights.com metarouter.pdst.io pdst.fm ping.pdst.fm pod.link podcast-graph-dot-adaptive-growth.appspot.com podsights.com sink.pdst.fm
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: Preact
  • Asset type: OTHER
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Preact was acquired by Spotify in 2016. #OUT OF SCOPE preact.io - is no longer owned by Spotify and is out of scope for this program #IN SCOPE Find below a list of in-scope targets. Note that it is continuously updated: ~~~ everynoise.com
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: Soundtrap
  • Asset type: OTHER
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Soundtrap was acquired by Spotify in 2017. #OUT OF SCOPE academy.soundtrap.com (Please report on Teachable bugbounty program on H1 instead.) #IN SCOPE Find below a list of in-scope targets. Note that it is continuously updated: ~~~ blog.soundtrap.com edu.soundtrap.com edublog.soundtrap.com jobs.soundtrap.com soundtrap.com status.soundtrap.com
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: Spotify SDKs
  • Asset type: SOURCE_CODE
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: For Spotify SDK (note: there is a specific scope for Web, Android and IOs SDK) * https://developer.spotify.com/
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: Spotify desktop application (Windows and Mac)
  • Asset type: DOWNLOADABLE_EXECUTABLES
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: Web Playback SDK
  • Asset type: SOURCE_CODE
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: * https://developer.spotify.com/documentation/web-playback-sdk/
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: Whooshkaa
  • Asset type: OTHER
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Whooshkaa was acquired by Spotify in December 2021. ** These targets are in scope: ** ~~~ api.whooshkaa.com dashboard.whooshkaa.com images.whooshkaa.com mde.whooshkaa.com media.whooshkaa.com play.whooshkaa.com player.whooshkaa.com private.whooshkaa.com rss.whooshkaa.com vast.whooshkaa.com webplayer.whooshkaa.com www.whooshkaa.com
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: api.spotify.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Based on simple REST principles, the Spotify Web API endpoints return JSON metadata about music artists, albums, and tracks, directly from the Spotify Data Catalogue. Web API also provides access to user related data, like playlists and music that the user saves in the Your Music library. Such access should be enabled through selective authorization, by the user. A full list of the objects returned by the endpoints of the Spotify Web API - https://developer.spotify.com/documentation/web-api/reference/object-model/
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: assets.spotify.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: * Do not run automated scans against this target. They are often very noisy. ~~~ assets.spotify.com
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: backstage.io
  • Asset type: URL
  • Availability requirement: low
  • Confidentiality requirement: low
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Backstage is an open-source developer portal. Find below a list of in-scope targets. Note that it is continuously updated: ~~~ backstage.io
  • Integrity requirements: low
  • Max severity: medium



  • Asset identifier: com.anchorfminc.Anchor
  • Asset type: APPLE_STORE_APP_ID
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: com.soundtrap.studioapp
  • Asset type: APPLE_STORE_APP_ID
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Soundtrap https://itunes.apple.com/us/app/soundtrap/id991031323
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: com.soundtrap.studioapp
  • Asset type: GOOGLE_PLAY_APP_ID
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Soundtrap - Make Music Online https://play.google.com/store/apps/details?id=com.soundtrap.studioapp
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: com.spotify.client
  • Asset type: APPLE_STORE_APP_ID
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Spotify - Music and Podcasts https://itunes.apple.com/us/app/spotify-music-and-podcasts/id324684580
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: com.spotify.kids
  • Asset type: APPLE_STORE_APP_ID
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Spotify Kids https://apps.apple.com/ie/app/Spotify-Kids/id1470209570
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: com.spotify.kids
  • Asset type: GOOGLE_PLAY_APP_ID
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Spotify Kids https://play.google.com/store/apps/details?id=com.spotify.kids
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: com.spotify.lite
  • Asset type: GOOGLE_PLAY_APP_ID
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Spotify Lite https://play.google.com/store/apps/details?id=com.spotify.lite
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: com.spotify.music
  • Asset type: GOOGLE_PLAY_APP_ID
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Spotify - Music and Podcasts https://play.google.com/store/apps/details?id=com.spotify.music
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: com.spotify.s4a
  • Asset type: APPLE_STORE_APP_ID
  • Availability requirement: 
  • Confidentiality requirement: none
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Spotify for Artists https://itunes.apple.com/us/app/spotify-for-artists/id1222021797
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: com.spotify.s4a
  • Asset type: GOOGLE_PLAY_APP_ID
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Spotify for Artists https://play.google.com/store/apps/details?id=com.spotify.s4a
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: com.spotify.soundtrap.dreamcatcher
  • Asset type: APPLE_STORE_APP_ID
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Soundtrap https://apps.apple.com/us/app/soundtrap-capture/id1499500581
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: com.spotify.stations
  • Asset type: APPLE_STORE_APP_ID
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Spotify Stations https://apps.apple.com/us/app/spotify-stations/id1453043471
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: com.spotify.tv.android
  • Asset type: GOOGLE_PLAY_APP_ID
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Spotify Music - for Android TV https://play.google.com/store/apps/details?id=com.spotify.tv.android
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: com.spotify.zerotap
  • Asset type: GOOGLE_PLAY_APP_ID
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Spotify Stations https://play.google.com/store/apps/details?id=com.spotify.zerotap
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: fm.anchor.android
  • Asset type: GOOGLE_PLAY_APP_ID
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: iOS SDK
  • Asset type: SOURCE_CODE
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: * https://developer.spotify.com/documentation/ios/ * https://github.com/spotify/ios-sdk
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: io.bettylabs.Disco
  • Asset type: APPLE_STORE_APP_ID
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Greenroom iOS app.
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: io.bettylabs.disco
  • Asset type: GOOGLE_PLAY_APP_ID
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Greenroom Android app.
  • Integrity requirements: high
  • Max severity: critical