Netflix Launches Public Bug Bounty Program

Streaming giant Netflix has announced the launch of a public bug bounty program designed to allow security researchers to responsibly disclose vulnerabilities in exchange for rewards.

With some 117 million members around the world, Netflix is among the world’s largest streaming services. After engaging in private bug bounty programs over the past five years, Netflix is now publicly launching its rewards-for-flaws effort in a partnership with BugCrowd. Rewards with a ‘P1’ priority can fetch up to $15,000 if researchers discover a vulnerability in Netflix’s web applications listed among the “Primary Targets Overview”.

Netflix explains:

Primary targets make up the user experience. Valid vulnerabilities submitted against primary targets will result in higher payouts than secondary applications.

Netflix confirms it began its vulnerability disclosure program in 2013 as an avenue for researchers to report security concerns. Over 190 valid issues have been received and remediated through the program so far. Subsequently, Netflix began a private bug bounty program in September 2016 that enabled 100 of Bugcrowd’s top researchers to participate. In comparison, the public program will now expand to over 700 researchers.

A total of 145 valid submissions (out of 275 in total) looking into various criticality levels across Netflix services were reported in the private bug bounty program, Netflix revealed.

“Netflix has a unique culture of Freedom and Responsibility that enables us to run an effective bug bounty program,” the company added in its announcement. “Engineers at Netflix have a high degree of ownership for the security of their products and this helps us address reports quickly. Our security engineers also have the autonomy and freedom to make reward decisions quickly based on the reward matrix and bug severity.”

The minimum payout will see researchers receive between $100-$300 for lower priority submissions among primary and secondary targets. Mobile services will also be under the scanner, with researchers eligible for up to $5,000 as a reward.

Image credit: Pixabay.