Netflix bug bounty program expanded, payouts increased

By /

In 2013, the entertainment giant Netflix began utilizing a disclosure program for researchers to report vulnerabilities. Starting in 2016, the company evolved the disclosure program into a private bug bounty that allowed specifically chosen researchers to gain monetary rewards for discovering vulnerabilities. The private Netflix bug bounty was conducted via Bugcrowd and it involved 100 of Bugcrowd’s best researchers. This number eventually increased to 700, and it was at this point that Netflix was showing a shift in its bug bounty protocol.

Now Netflix has, according to a recent blog post, again made some changes to its bug bounty program. Noting how the private program uncovered 145 bugs, and noticing how effective public bounties can be, Netflix has joined many other corporations in creating a public bug bounty program.

The new public Netflix bug bounty program opens the vulnerability searching and reporting to all white hats. All aspects of Netflix’s services are fair game for the bug bounty, from the website to its various apps on mobile and other devices (like video game consoles). The payouts for bounties have also increased to help entice more white hats to join in on the hunt. The maximum payout at this point tops out at $15,000 and, while the average payout is closer to $1,000, this is bound to bring in the best minds if only for a payday.

Netflix had this to say why they believe the program will be even more successful now that it’s public:

Netflix has a unique culture of Freedom and Responsibility that enables us to run an effective bug bounty program. Engineers at Netflix have a high degree of ownership for the security of their products and this helps us address reports quickly. Our security engineers also have the autonomy and freedom to make reward decisions quickly based on the reward matrix and bug severity. This ultimately helps create an efficient and seamless experience for researchers which is important for engagement in the program.

It will be interesting to see how this newly public bug bounty program will fare.

Photo credit: Pixabay

About The Author

Derek Kortepeter is a graduate of UCLA and tech journalist. Kortepeter specializes in areas such as cyber defense, privacy rights, cyber warfare, and governmental InfoSec policy.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top