Netflix Opens Public Bug Bounty Program with $15K Payout Cap

Netflix opens up bug bounty program to all white hat hackers and ups the ante for bugs to as much as $15,000.

Netflix expanded its bug bounty program on Wednesday opening it up to any white hat hacker and at the same time increased the top reward to $15,000.

The bug bounty program, managed by Bugcrowd, now allows any registered hackers to scour Netflix vast mobile, cloud and software platform for minor and critical bugs worth between $100 to $15,000 each. The program includes everything from Netflix.com to its Android and iOS mobile apps, used by over 117 million Netflix users.

“Netflix has a unique culture of freedom and responsibility that enables us to run an effective bug bounty program. Engineers at Netflix have a high degree of ownership for the security of their products and this helps us address reports quickly,” wrote Netflix in a blog post Wednesday.

Prior to working with Bugcrowd, Netflix said it managed a disclosure program of sorts that began in 2013. In 2016, it launched a private bounty program with Bugcrowd that had a limited scope and relied on 100 invited bug hunters. Since then, Netflix said it had received 145 valid bug bounty submissions, out of 275 total submissions.

“In preparation for our public launch, we have increased our scope dramatically over the last year and have now invited over 700 researchers,” Netflix wrote.

According to Bugcrowd, the typical Netflix bounty payout is $1,086.

“Our average (Bugcrowd) program payout is between $500 to $600. So Netflix is paying quite well,” said Casey Ellis, founder and chief technology officer of Bugcrowd.

“What’s unique about Netflix and makes this program so exciting is the enormous amount of traffic that the company transmits around the globe. That traffic is now being protected by the broader white hat community,” Ellis said.

While the bug bounty scope is large, restrictions include not accessing customer or employee personal information and avoiding pre-release Netflix content. Also out of bounds is Netflix device client applications and third-party websites hosted by non-Netflix entities.

In scope is “the Netflix.com user experience”, the Netflix API (referenced as api*.netflix.com as well as www.netflix.com/api/*) and both the iOS and Android apps and over a dozen “secondary targets.”

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.