Netflix Public Bug Bounty

Netflix announced a bug bounty program for their website, mobile apps and about a dozen other web properties this week offering rewards between $100 and $15,000 for each discovered vulnerability.

Bug Bounties are nothing new to Netflix – but you wouldn’t know it because Netflix has been engaged in an invite-only private bug bounty program for the last five years and recognizes bug hunters in a “Hall of Fame” menu which is a nice touch. Netflix launched the Responsible Vulnerability Disclosure program privately in 2013 and decided the experience was productive.  As a result, they opened the program publicly this month on the Bugcrowd platform.   Acknowledging the bug hunters involved in the private program is a positive message to the community that the company is highly engaged in the cyber security realm.

The bug-busting invitees come from Bugcrowd’s top 100 ranked bug hunters.  The bug hunters submitted 275 bugs of which 145 were determined to be valid. This seems like a low bug total and may be attributable to the engineering culture of ownership and security at Netflix.

There are strict guidelines posted on Bugcrowd.  The authorized cyber-targets are clearly explained here, as are what targets are off-limits.  They also explain a few caveats in testing; You must hack against your own account and if you reach an unauthorized area or discover private information when attacking, you must stop immediately and submit a bug report.

The bounty matrix is clearly described in Bugcrowd with the highest bounties of $15,000 focused on the Netflix API and

Leave a Reply

Your email address will not be published. Required fields are marked *