PLEASE NOTE: Submissions will not be paid until they have been fixed and moved to the ‘Resolved’ state in Crowdcontrol.

We're big believers in protecting your privacy and security. As a company, we not only have a vested interest, but also a deep desire to see the Internet remain as safe as possible for us all.
So, needless to say, we take security issues very seriously.

In our opinion, the practice of 'responsible disclosure' is the best way to safeguard the Internet. It allows individuals to notify companies like Spotify of any security threats before going public with the information. This gives us a fighting chance to resolve the problem before the criminally-minded become aware of it.

Responsible disclosure is the industry best practice, and we recommend it as a procedure to anyone researching security vulnerabilities.

Rules of engagement
We are interested in hearing about security issues on all Spotify properties, including our client software, SDKs and web services hosted domains owned by Spotify.
To be eligible for a reward, note that we typically require the issue report to have some actual security impact in a realistic scenario. This does not mean you need to fully exploit issues, just provide the information you have, and we will analyze your report and draw conclusions on the impact.

There are some things we explicitly ask you not to do:

  • When experimenting, please only attack test accounts you control. A PoC unnecessarily involving accounts of other end users or Spotify employee may be disqualified.
  • Do not run automated scans without checking with us first. They are often very noisy.
  • Do not test the physical security of Spotify offices, employees, equipment, et.c.
  • Do not test using social engineering techniques (phishing, vishing, et.c.)
  • Do not perform DoS or DDoS attacks.
  • In any way attack our end users, or engage in trade of stolen user credentials.

Targets

In scope

  • Spotify SDKs
  • Spotify APIs
  • All Spotify Clients (Web & Mobile)
  • All Spotify Websites

Please create an account on your own using your @bugcrowdninja.com email address. Your 'bugcrowdninja' email address is your username@bugcrowdninja.com. All emails will go to the email address associated with your account.

Spotify for iOS: https://itunes.apple.com/us/app/spotify-music/id324684580?mt=8
Spotify for Android: https://play.google.com/store/apps/details?id=com.spotify.music&hl=en

All companies acquired by Spotify are not in scope.

The following finding types are specifically excluded from the bounty:

  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting / banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
  • Lack of Security Speedbump when leaving the site.
  • Weak Captcha / Captcha Bypass
  • Forgot Password page brute force and account lockout not enforced.
  • OPTIONS HTTP method enabled
  • Username / email enumeration
    • via Login Page error message
    • via Forgot Password error message
  • Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
    • Strict-Transport-Security
    • X-Frame-Options
    • X-XSS-Protection
    • X-Content-Type-Options
    • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    • Content-Security-Policy-Report-Only
  • SSL Issues, e.g.
    • SSL Attacks such as BEAST, BREACH, Renegotiation attack
    • SSL Forward secrecy not enabled
    • SSL weak / insecure cipher suites
  • assets.spotify.com is excluded from the program

Out of Scope bugs for Android apps

  • Shared links leaked through the system clipboard.
  • Any URIs leaked because a malicious app has permission to view URIs opened
  • Absence of certificate pinning
  • Sensitive data in URLs/request bodies when protected by TLS
  • User data stored unencrypted on external storage
  • Lack of obfuscation is out of scope
  • oauth "app secret" hard-coded/recoverable in apk
  • Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)
  • Any kind of sensitive data stored in app private directory
  • Lack of binary protection control in android app

Out of Scope bugs for iOS apps

  • Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries
  • Absence of certificate pinning
  • Path disclosure in the binary
  • User data stored unencrypted on the file system
  • Lack of obfuscation is out of scope
  • Lack of jailbreak detection is out of scope
  • oauth "app secret" hard-coded/recoverable in apk
  • Crashes due to malformed URL Schemes
  • Lack of binary protection (anti-debugging) controls
  • Snapshot/Pasteboard leakage
  • Runtime hacking exploits (exploits only possible in a jailbroken environment)

Rules

This program follows Bugcrowd’s standard disclosure terms.

This bounty requires explicit permission to disclose the results of a submission.