Netflix has launched a public bug bounty program through which security researchers can receive rewards of up to $15,000.
Announced on 21 March, the streaming service’s new vulnerability responsible disclosure framework will award researchers upwards of thousands of dollars for reporting weaknesses discovered in Netflix’s primary targets. In-scope applications include the American entertainment company’s API, its top level domain (www.netflix.com) and its Android and iOS apps.
P1-rated flaws, which include vulnerabilities like SQL injection, broken cryptography and sensitive data exposure, can net participants as much as $15,000. Reports on less-severe bugs that affect either primary or secondary targets, public Netflix web applications that exist outside of the Netflix browser experience, will earn researchers somewhere between $100 and $3000.
Not everything is in scope, however. The streaming service will not give out bounties for flaws discovered in third-party websites that depend on non-Netflix entities for hosting. Nor will it issue monies for vulnerabilities uncovered in jobs.netflix.com, media.netflix.com, ir.netflix.com or device client applications for the company.
Researchers must also meet certain guidelines when reporting a bug. For instance, they must not disrupt production systems or destroy data during their security testing. They must also immediately stop testing if they come across any non-public credentials or applications.
This is the first time Netflix has gone public with a bug bounty framework, but it’s not its first foray into vulnerability responsible disclosure. It launched its first program in 2013 followed by a private scheme three years later. Across those two initiatives, Netflix has received 190 valid issues and 145 eligible submissions to date.
Casey Ellis, founder and chief technology officer of Bugcrowd, told ThreatPost he’s thrilled that Netflix is taking its vulnerability disclosure focus to the next level with a public program hosted on the bug bounty platform:
Our average (Bugcrowd) program payout is between $500 to $600. So Netflix is paying quite well. What’s unique about Netflix and makes this program so exciting is the enormous amount of traffic that the company transmits around the globe. That traffic is now being protected by the broader white hat community.
For more information about Netflix’s new framework, please visit the program’s official page here.
You can also learn more about other essential bug bounty programs here.