Digital entertainment powerhouse Netflix officially launched a public bug bounty program on Wednesday, offering vulnerability hunters anywhere from $100 to $15,000 per discovery.
Netflix launched its first responsible vulnerability disclosure program in 2013, before commencing a private program launch through the Bugcrowd platform in September 2016. “We started our program with a more limited scope and 100 of Bugcrowd's top researchers. In preparation for our public launch, we have increased our scope dramatically over the last year and have now invited over 700 researchers,” Netflix states in an official blog post announcement.
Netflix says it has received 145 valid submissions since starting its private bounty program, and during that time has taken measures to improve response time and effectiveness. Its current report acknowledgment average is 2.7 days.
“Engineers at Netflix have a high degree of ownership for the security of their products and this helps us address reports quickly,” Netflix's announcement continues. “Our security engineers also have the autonomy and freedom to make reward decisions quickly based on the reward matrix and bug severity. This ultimately helps create an efficient and seamless experience for researchers which is important for engagement in the program.”
The primary targets included within the scope of the program are Netflix's top-level domain (www.netflix.com), APIs, mobile applications for iOS and Android, and various other domains associated with the company's secure static assets and static content, logging endpoints, content delivery network, help site, and Dockhand ad tracking service.
Netflix has posted guidelines for vulnerability researchers here.