Network Security, Vulnerability Management

Binge watching and bug watching: Netflix launches public bug bounty program

Digital entertainment powerhouse Netflix officially launched a public bug bounty program on Wednesday, offering vulnerability hunters anywhere from $100 to $15,000 per discovery.

Netflix launched its first responsible vulnerability disclosure program in 2013, before commencing a private program launch through the Bugcrowd platform in September 2016. “We started our program with a more limited scope and 100 of Bugcrowd's top researchers. In preparation for our public launch, we have increased our scope dramatically over the last year and have now invited over 700 researchers,” Netflix states in an official blog post announcement.

Netflix says it has received 145 valid submissions since starting its private bounty program, and during that time has taken measures to improve response time and effectiveness. Its current report acknowledgment average is 2.7 days.

“Engineers at Netflix have a high degree of ownership for the security of their products and this helps us address reports quickly,” Netflix's announcement continues. “Our security engineers also have the autonomy and freedom to make reward decisions quickly based on the reward matrix and bug severity. This ultimately helps create an efficient and seamless experience for researchers which is important for engagement in the program.”

The primary targets included within the scope of the program are Netflix's top-level domain (, APIs, mobile applications for iOS and Android, and various other domains associated with the company's secure static assets and static content, logging endpoints, content delivery network, help site, and Dockhand ad tracking service.

Netflix has posted guidelines for vulnerability researchers here.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.