Netflix Opens Bug Bounty Program Worth Up to $15,000 USD

Using Hacking Skills for Good (and Profit)

Netflix has launched their public bug bounty program, offering $1oo to $15,000 USD (hard cap) for each find. The invitation is open to everyone including researchers and white hat hackers to try and find vulnerabilities in their platform. Netflix has actually been accepting security reports from hackers and patching bugs for the past five years. However, this bug bounty scheme is moving from private to public and is being hosted on the Bugcrowd platform.

With Netflix having over 117 million members worldwide, keeping the platform secure is just going to get tougher. Which is why opening up the bounty program to the greater public is an ideal move. Furthermore, it helps Netflix strengthen community involvement. There are of course, some rules to consider to be eligible.

What Guidelines Must Bug Bounty Hunters Abide By?

Netflix requires that researchers abide by the following:

• Do not access customer or employee personal information, pre-release Netflix content, or Netflix confidential information. If you accidentally access any of these, please stop testing and submit the vulnerability.
• Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.
• Do not degrade the Netflix user experience, disrupting production systems, or destroy data during security testing.
• Perform research only within the scope set out below.
• Use the Bugcrowd report submission form to report vulnerability information to us.
• Collect only the information necessary to demonstrate the vulnerability.
• Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar using the Bugcrowd submission form (do not use third party file sharing sites).
• When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.
• Follow the Bugcrowd “Coordinated Disclosure” rules.

What Will Netflix Do With Submissions?

The streaming platform will work with the bounty hunter to understand and attempt to resolve the issue within 7 days of submission. They also are going to have a Security Researcher Hall of Fame wherein names of the contributors who discover vulnerabilities first are placed. Those who submit reports that results in Netflix changing congifuration will also be added in the hall of fame.

Most importantly, submissions earn money. The range is from $100 to $15,000 and the typical average has been $1,000 per-find so far from the private submissions. Understandably, only the gravest of security threat submissions will net the top $15,000 reward (P1 priority).

For more information, visit the Netflix Bugcrowd website.