Netflix announced a bug bounty program for their website, mobile apps and about a dozen other web properties this week offering rewards between $100 and $15,000 for each discovered vulnerability.
Bug Bounties are nothing new to Netflix – but you wouldn’t know it because Netflix has been engaged in an invite-only private bug bounty program for the last five years and recognizes bug hunters in a “Hall of Fame” menu which is a nice touch. Netflix launched the Responsible Vulnerability Disclosure program privately in 2013 and decided the experience was productive. As a result, they opened the program publicly this month on the Bugcrowd platform. Acknowledging the bug hunters involved in the private program is a positive message to the community that the company is highly engaged in the cyber security realm.
The bug-busting invitees come from Bugcrowd’s top 100 ranked bug hunters. The bug hunters submitted 275 bugs of which 145 were determined to be valid. This seems like a low bug total and may be attributable to the engineering culture of ownership and security at Netflix.
There are strict guidelines posted on Bugcrowd. The authorized cyber-targets are clearly explained here, as are what targets are off-limits. They also explain a few caveats in testing; You must hack against your own account and if you reach an unauthorized area or discover private information when attacking, you must stop immediately and submit a bug report.
The bounty matrix is clearly described in Bugcrowd with the highest bounties of $15,000 focused on the Netflix API and netflix.com.