Entertainment company now streaming rewards

The time for chilling is over, as Netflix on Wednesday opened up its bug bounty program to the public, offering up to $15,000 to anyone who identifies security flaws in the entertainment company’s popular platforms.

Netflix previously ran a private bug bounty program following the success of a vulnerability disclosure project in 2013, which was geared toward specific researchers.

The company stated that 145 submissions were successful in pointing out vulnerabilities during that time, with 275 potential vulnerabilities submitted in total.

Now running its bug hunting program through Bugcrowd, Netflix will pay researchers between $100 and $15,000 for every minor or critical problem found on its API, main web domain, help center, and mobile applications for both iOS and Android.

This makes the company’s payout averaging approximately $1,086, according to Bugcrowd.

Netflix, writing in a blog post, said: “Engineers at Netflix have a high degree of ownership for the security of their products and this helps us address reports quickly.

“Our security engineers also have the autonomy and freedom to make reward decisions quickly based on the reward matrix and bug severity.”

It added: “This ultimately helps create an efficient and seamless experience for researchers which is important for engagement in the program.”

A wide-range of focus areas have been suggested by Netflix, including cross site scripting, SQL Injection and authentication and authorization related issues.

The program’s scope does not include social engineering, phishing, cookie migration, or vulnerabilities impacting end-to-life browsers. Accessing a customer’s personal information is void under Bugcrowd’s Vulnerability Rating Taxonomy.

Netflix’s announcement comes a month after the expansion of Intel’s bug bounty program, which now attracts a reward of up to $250,000 in the wake of the ongoing Meltdown and Spectre exploits.

Bug bounty programs continue to grow in popularity among some of the world’s biggest corporations, but this expansion has not been without problems.

Earlier this week, Dropbox updated its vulnerability disclosure policy (VDP) and encouraged other organizations to use it as a template for their own disclosure programs, as it looks to better protect researchers from “abuse, threats, and bullying”, which it says has run throughout the open security community for decades.

Chris Evans, head of security at the cloud hosting service, said in a blog post: “While a well-run bug bounty program is mandatory for maintaining top-tier security posture, they are built on VDP.

“It’s possible to have a great VDP without having a bug bounty program, and organizations should start their security journey there.”