Netflix

  • $200 – $20,000 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

501 vulnerabilities rewarded

Validation within about 19 hours
75% of submissions are accepted or rejected within about 19 hours

$1,302.27 average payout (last 3 months)

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Netflix’s goal is to deliver joy to our members around the world, and it is the security team's job to keep our members, partners, and employees secure. We have been engaging with the security community to achieve this goal through programs like responsible disclosure and private bug bounty for a number of years. Our public bug bounty program aims to continue improving the security of our products and services while strengthening our relationship with the community.


Guidelines


We require that all researchers:

  • Do not access customer or employee personal information, pre-release Netflix content, or Netflix confidential information. If you accidentally access any of these, please stop testing and submit the vulnerability.
  • Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.
  • Do not degrade the Netflix user experience, disrupt production systems, or destroy data during security testing.
  • Perform research only within the scope set out below.
  • Use the Bugcrowd report submission form to report vulnerability information to us.
  • Collect only the information necessary to demonstrate the vulnerability.
  • Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar using the Bugcrowd submission form (do not use third party file sharing sites).
  • When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.
  • Securely delete Netflix information that may have been downloaded, cached, or otherwise stored on the systems used to perform the research.
  • Follow the Bugcrowd “Coordinated Disclosure” rules.

If you fulfill these requirements, Netflix will:

  • Work with you to understand and attempt to resolve the issue quickly (confirming the report within 7 days of submission)
  • Recognize your contribution to our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.
  • Pay you for your research for unique vulnerabilities that meet the guidelines listed below if you are the first to report the issue to us using the Bugcrowd portal.

To encourage responsible disclosure, Netflix will not bring a lawsuit against you or ask law enforcement to investigate you if we determine that your research and disclosure meets these requirements and guidelines.

If you have any questions regarding the Netflix program, please reach out to support@bugcrowd.com.

Targets

In scope

Target name Type Tags
Corporate Targets Other
  • Website Testing
Netflix Mobile Application for iOS iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
api*.netflix.com API Testing
  • API Testing
  • HTTP
Secondary Targets (read below) Other
  • Website Testing
Microsites Other
  • Website Testing
*.prod.ftl.netflix.com API Testing
Netflix Mobile Application for Android Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin
*.prod.cloud.netflix.com API Testing
*.prod.dradis.netflix.com API Testing
www.netflix.com Website Testing
  • ReactJS
  • jQuery
  • Lodash
  • nginx
  • Java
  • PHP
  • Perl
  • Amazon S3
  • Akamai CDN
  • Paypal
  • Mailchimp
  • Amazon SES
  • Website Testing
secure.netflix.com Website Testing
  • Website Testing
ichnaea.netflix.com Website Testing
  • Website Testing
*.nflxvideo.net Website Testing
  • Website Testing
*.nflxext.com Website Testing
  • Website Testing
*.nflximg.net Website Testing
  • Website Testing
*.nflxso.net Website Testing
help.netflix.com Website Testing
  • Bootstrap
  • jQuery
  • Backbone
  • Website Testing
dockhand.netflix.com Website Testing
  • Website Testing
beacon.netflix.com Website Testing
  • Website Testing
presentationtracking.netflix.com Website Testing
  • Website Testing
nmtracking.netflix.com Website Testing
  • Website Testing
customerevents.netflix.com Website Testing
  • Website Testing
meechum.netflix.com Website Testing
  • Website Testing

Target Overview


Primary Targets Overview

Primary targets make up the Netflix.com user experience. Valid vulnerabilities submitted against primary targets will result in higher payouts than secondary applications (see “Primary Target Reward Guidelines” below).

api-*.netflix.com, api.netflix.com, *.prod.ftl.netflix.com, *.prod.cloud.netflix.com, *.prod.dradis.netflix.com
The primary of the Netflix experience is driven by microservices that are hosted and called through our API. You may see the API referenced as api*.netflix.com as well as www.netflix.com/api/*.

www.netflix.com
The primary Netflix experience is hosted on this top level domain. The UI uses a combination of React JS and Node.

secure.netflix.com
Secure static assets are hosted on this domain.

ichnaea.netflix.com
Ichnaea is a logging endpoint used to collect client information.

beacon.netflix.com
Beacon is a logging endpoint used to collect client information from member's browsers and streaming devices.

Please note that customerevents.netflix.com, nmtracking.netflix.com, and presentationtracking.netflix.com are all alias of beacon.netflix.com. Submissions containing variations of the URL will not be treated as unique.

*.nflxvideo.net
Our Open-Connect CDN serves video content over this domain.

*.nflxext.com
Static content is served over this domain.

*.nflximg.net
Static content is served over this domain.

*.nflxso.net
Static content is served over this domain.

help.netflix.com
Our help site provides a knowledge base and customer service chat.

dockhand.netflix.com
Dockhand is used for tracking ads.

meechum.netflix.com
Netflix partner page

Mobile Targets Overview

Netflix Mobile Application for iOS: Can be downloaded here.

Netflix Mobile Application for Android: Can be downloaded here.

Corporate Targets Overview (Netflix.com Google G Suite)

Insecure usage or misconfiguration of the G Suite instance associated with ONLY the netflix.com domain (NOT any subdomains such as subdomain.netflix.com or ANY OTHER domains such as netflixcs.com). Please note that this is limited to a vulnerability in Netflix’s usage and configuration of G Suite, and not G Suite itself.

Corporate target submissions must include information to help us understand root cause.

Device & Content Authorization Targets Overview

Methods of subverting Netflix content authorization systems to achieve video playback on unauthorized devices are in scope. Examples include circumventing the content authorization systems, obtaining private keys used for authorization, etc. Only playback of full content is in scope—supplemental content such as trailers, images etc. is not in scope.

Private keys used for video content decryption are in scope. Reports must contain private key material which enables decryption of video streams at the time reported. Groups of keys discovered at the same time (e.g. leaked together) or using the same methods (shared vulnerability across multiple devices) will only qualify for a single reward. Submissions related to screenshots or screen recording are not in scope. Submissions must include actual private key material.

Reports must contain specific, clearly articulated and actionable details relating to how the keys were discovered or extracted to qualify for a reward.

Secondary Targets Overview

Secondary targets are systems that have less impact on the primary Netflix experience, and so will be paid at a lower rate than primary targets (see “Secondary Reward Guidelines” below). In addition, valid vulnerabilities for these submissions will only be considered for risks P3 or higher.

Public Netflix web applications not related to the web browser www.netflix.com experience are secondary targets.

Microsites
Microsites are sites that Netflix typically publishes for promotion or in support of Netflix titles.

Out of Scope (PLEASE READ)


  • Third party websites or systems hosted by non-Netflix entities
  • jobs.netflix.com
  • ir.netflix.com
  • Netflix client applications (except mobile and content authorization targets specified above)

In addition, findings that fall into the “Excluded Submission Types” listed below will also be flagged as out of scope.

If you have a concern about whether a potential submission is in-scope, please first validate that it is demonstrably owned by Netflix, and carefully read the "Out of Scope", "Excluded Submission Types", and the "Targets" sections. If it is still unclear but you believe it should still be considered, please submit via the program ONLY (instead of alternate channels like email), and include a few sentences describing your judgement regarding scope. Submissions that demonstrate thoughtful consideration for scope but that we ultimately do not act on will receive a "Not Applicable" status, rather than "Out Of Scope" with negative points.

Reward Guidelines


Netflix wishes to incentivize broad, information-rich vulnerability submissions to our program. Please note that Netflix generally only issues a reward if we pursue a change based on the researcher submission. For certain vulnerabilities which may be present in different parts of a web application or view, Netflix may provide, at its discretion, an additional reward for those reports which detail multiple vectors for injections, XSS, or similar. This reward is in addition to the typical award ranges detailed below.

Primary Targets

If your submission impacts a web application listed in the “Primary Targets Overview” section above and meets the other applicable requirements (e.g., not an Excluded Submission Type), these are the ranges of rewards that we typically choose to provide. For definitions of P1 - P4, see Bugcrowd’s Vulnerability Rating Taxonomy (https://bugcrowd.com/vulnerability-rating-taxonomy).

Priority Reward amount
P1 $4,000 - $20,000
P2 $1,500 - $4,000
P3 $500 - $1,500
P4 $200 - $500

Mobile Targets

If your submission impacts a mobile application listed in the "Mobile Targets Overview" section, is a priority P1, or P2 (P3, P4 and P5 will not be accepted), and meets other applicable requirements (e.g., not an Excluded Submission Type), these are the ranges of rewards we typically choose to provide:

Priority Reward amount
P1 $1,500 - $5,000
P2 $500 - $1,500

Corporate Targets

If your submission impacts a target listed in the "Corporate Targets Overview" section, is a priority P1, or P2 (P3, P4 and P5 will not be accepted), and meets other applicable requirements (e.g. not an Excluded Submission Type), these are the ranges of rewards we typically choose to provide:

Priority Reward amount
P1 $2,000 - $10,000
P2 $500 - $2,000

Content Authorization Targets

Since this category is not in Bugcrowd’s Vulnerability Rating Taxonomy, valid reports will be categorized as P2 or P3. P2 targets include methods of subverting content authorization or obtaining private keys. P3 targets include leaked private keys for content decryption. Submissions of hardware-backed private keys (i.e. from a TEE) & key exfiltration methods will have higher payouts than submissions of software-backed private keys & key exfiltration methods.

If your submission impacts a target listed in the "Content Authorization Targets Overview" section, and meets other applicable requirements (e.g. not an Excluded Submission Type), these are the ranges of rewards we typically choose to provide:

Priority Reward amount
P2 $1000 - $5000
P3 $300 - $1000

Secondary Targets

We encourage researchers to focus on primary targets as this will result in the highest payouts and quickest response time. If your submission impacts a web application list in the "Secondary Targets Overview" section, is a priority P1, P2 or P3 (P4 and P5 will not be accepted), and meets other applicable requirements (e.g., not an Excluded Submission Type), these are the ranges of rewards we typically choose to provide:

Priority Reward amount
P1 $1,500 - $4,000
P2 $500 - $1,500
P3 $200 - $500

Focus Areas

We encourage researchers to focus their efforts in the following areas:

  • Cross Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • SQL Injection (SQLi)
  • Authentication related issues
  • Authorization related issues
  • Data Exposure
  • Redirection attacks
  • Remote Code Execution
  • Business Logic
  • MSL Protocol (https://github.com/Netflix/msl)
  • Particularly clever vulnerabilities or unique issues that do not fall into explicit categories
  • Mobile-specific API vulnerabilities

Excluded Submission Types

Vulnerability reports which do not include careful manual validation - for example, reports based only on results from automated tools and scanners or which describe theoretical attack vectors without proof of exploitability - will be closed as Not Applicable.

The Netflix Bug Bounty program follows Bugcrowd’s Vulnerability Rating Taxonomy with some additional vulnerability classes we consider to be excluded below:

  • Cookie valid after logout
  • Cookie valid after password change/reset
  • Cookie expiration
  • Cookie migration/sharing
  • Forgot password autologin
  • Autologin token reuse
  • Static content over HTTP
  • Free trials
  • Same Site Scripting
  • Physical Testing
  • Social Engineering
    • For example, attempts to steal cookies, fake login pages to collect credentials
    • Phishing
  • Denial of service attacks
  • Resource Exhaustion attacks
  • Mail Server Domain Misconfiguration (including email spoofing, missing DMARC, SPF/DKIM, etc.)
  • Issues related to rate limiting
  • Login or Forgot Password page brute force and account lockout not enforced
  • Services listening on port 80
  • Internal IP address disclosure
  • Issues related to cross-domain policies for software such as flash, silverlight etc. without evidence of an exploitable vulnerability
  • Username / Email Enumeration
    • via Login Page error message
    • via Forgot Password error message
    • via Registration
  • Weak password policies
  • Weak Captcha / Captcha bypass
  • Vulnerabilities impacting only old/end-of-life browsers/plugins including:
    • Issues that have had a patch available from the vendor for at least 6 months
    • Issues on software that is no longer maintained (announced as unsupported/end-of-life or no patches issued in at least 6 months)
  • Vulnerabilities primarily caused by browser/plugin defects and not representative of defects in the security of Netflix systems or software (e.g. UXSS)
  • Reports relating to Symantec root certificates
  • Vulnerability reports related to the reported version numbers of web servers, services, or frameworks
  • Vulnerability reports relating to sites or network devices not owned by Netflix
  • Vulnerability reports that require a large amount of user cooperation to perform, unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g. disabling browser security features, sending the attacker critical information to complete the attack, guiding the user through a particular flow and requiring them to enter malicious code themselves, etc.)
  • For Device & Content Authorization Targets: Vulnerabilities from already publicly broken protocols (e.g. HDCP v1.4)

Additional Terms

Your testing must comply with applicable laws. This program is not an offer of employment. Whether to pay a reward and in what amount is at Netflix’s discretion. You are responsible for any taxes associated with a reward you receive. We may modify or cancel this program at any time.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.