Since launching its bug bounty program in 2016, Netflix has paid out more than $1 million to researchers who have identified vulnerabilities in its systems and products. Over 5,600 contributors have participated in the program, submitting nearly 8,000 unique vulnerability reports. The company has rewarded researchers for 845 vulnerabilities, with over a quarter classified as ‘critical’ or ‘high’ severity.
Initially hosted on Bugcrowd, Netflix’s bug bounty program has now migrated to the HackerOne platform. This transition promises improved triage processes, expanded scope, higher bounty ranges, and exclusive private programs, along with enhanced researcher feedback loops.
Researchers who uncover content authorization issues, such as subverting content authorization or obtaining private keys, can receive rewards ranging from $300 to $5,000. Meanwhile, critical vulnerabilities affecting Netflix.com can fetch up to $20,000, while those impacting corporate assets may earn researchers up to $10,000. The bug bounty program also covers vulnerabilities found in Netflix’s mobile applications.
Recently, a researcher demonstrated vulnerabilities in Microsoft’s PlayReady technology that could be exploited to illicitly download content from popular streaming services, including Netflix. While Netflix did not respond to inquiries regarding its bug bounty program’s coverage of such issues, the researcher behind the discovery, Adam Gowdiak of AG Security Research, suggested that his findings warranted greater compensation than what Microsoft and other impacted companies currently offer through their bug bounty programs.
