We're big believers in protecting your privacy and security. As a company, we not only have a vested interest, but also a deep desire to see the Internet remain as safe as possible for us all.
So, needless to say, we take security issues very seriously.
In our opinion, the practice of 'responsible disclosure' is the best way to safeguard the Internet. It allows individuals to notify companies like Spotify of any security threats before going public with the information. This gives us a fighting chance to resolve the problem before the criminally-minded become aware of it.
Responsible disclosure is the industry best practice, and we recommend it as a procedure to anyone researching security vulnerabilities.
If you have discovered a vulnerability in this open source project or another serious security issue, please submit it to the Spotify bounty program hosted by HackerOne.