Spotify stepped up its efforts to thwart hackers by paying some of them more than $120,000.Since May of 2017 Spotify teamed with bug bounty platform HackerOne to offer rewards to hackers who find and report bugs and vulnerabilities.
“365 valid and actionable reports”
According to Forbes contributor Davey Winder:
Spotify now has an average time to resolution of 24 days from when a vulnerability is disclosed to a fix being implemented. Once that fix is deployed, the hacker gets paid the relevant bounty commensurate with the severity of the report. The severity scoring is based upon the industry-standard Common Vulnerability Scoring System (CVSS.)
To date, Spotify has paid $120,000 (£97,000) in bounties through the HackerOne platform, for more than 365 valid and actionable reports. According to the Spotify program page at HackerOne, the average bounty payout is $300 (£243) and “the highest we’ve rewarded has been $2500 in a few instances,” says Nathan Ferch, site reliability engineering and security manager at Spotify. It takes, on average, just 18 days for the researcher to get their payment after the first disclosure.”