Netflix asks you to start hacking, bug bounty program is now public

The bug bounty program is now open and offers financial rewards for vulnerability disclosure.
Written by Charlie Osborne, Contributing Writer

Netflix is ready to invite researchers worldwide to participate in the firm's bug bounty program and has now made the scheme public.

On Wednesday, the content streaming service, which caters for roughly 117 million customers worldwide by offering films and TV shows, said in a post on Medium that a public bug bounty program has now been launched.

Over the past five years, Netflix has been accepting vulnerability reports from hackers and has been patching bugs through responsible disclosure setups, as well as a private bug bounty program.

However, the bug bounty scheme is now ready to go public and is being hosted on the Bugcrowd platform.

Netflix says the move will allow the company "to continue improving the security of our products and services while strengthening our relationship with the community."

Since the streaming giant established ways for researchers to privately disclose vulnerabilities in 2013, over 190 vulnerabilities have been resolved.

However, once Netflix ironed out issues relating to report handling, this system was extended to a private bug bounty program.

The company says that over the past 18 months and after extending the scheme's reach beyond Bugcrowd's top 100 researchers to over 700 hackers, a total of 275 submissions have been made, of which 145 reports were valid.

"We have attempted to fine tune things like triage quality, response time and researcher interactions to build a quality program that researchers like to participate in," Netflix added.

Targets include the Netflix website, API, help center, and mobile applications for iOS and Android.

A focus on cross-site scripting (XSS) bugs, remote code execution, business logic flaws, SQL injections and API vulnerabilities, among others, is encouraged.

Researchers can earn between $100 and $15,000 per bounty, depending on the severity of the flaw.

"Engineers at Netflix have a high degree of ownership for the security of their products and this helps us address reports quickly," the company says. "Our security engineers also have the autonomy and freedom to make reward decisions quickly based on the reward matrix and bug severity. This ultimately helps create an efficient and seamless experience for researchers which is important for engagement in the program."

"We are so excited to launch our public program and we hope to expand our researcher community," Netflix added.

Bug bounty programs are generally considered an acceptable way for security researchers to report vulnerabilities, but not every disclosure has a happy ending.

See also: Intel bug bounty program expands with more rewards

Password manager software maker Keeper, for example, previously attempted to sue a reporter that reported a vulnerability disclosure story, and has also threatened to sue security firm Fox-IT for finding a bug in one of its products.

In light of the protections that security researchers appear to need more and more, on Wednesday, Dropbox updated its vulnerability disclosure policy to bring to an end "decades of abuse, threats, and bullying" against researchers.

Top 5 security practices in staying safe online: From the experts

Previous and related coverage

Editorial standards