Netflix’s goal is to deliver joy to our members around the world, and it is the security team's job to keep our members, partners, and employees secure. We have been engaging with the security community to achieve this goal through programs like responsible disclosure and private bug bounty for a number of years. Our public bug bounty program aims to continue improving the security of our products and services while strengthening our relationship with the community.
We require that all researchers:
- Do not access customer or employee personal information, pre-release Netflix content, or Netflix confidential information. If you accidentally access any of these, please stop testing and submit the vulnerability.
- Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.
- Do not degrade the Netflix user experience, disrupt production systems, or destroy data during security testing.
- Perform research only within the scope set out below.
- Use the Bugcrowd report submission form to report vulnerability information to us.
- Collect only the information necessary to demonstrate the vulnerability.
- Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar using the Bugcrowd submission form (do not use third party file sharing sites).
- When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.
- Securely delete Netflix information that may have been downloaded, cached, or otherwise stored on the systems used to perform the research.
- Follow the Bugcrowd “Coordinated Disclosure” rules.
If you fulfill these requirements, Netflix will:
- Work with you to understand and attempt to resolve the issue quickly (confirming the report within 7 days of submission)
- Recognize your contribution to our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.
- Pay you for your research for unique vulnerabilities that meet the guidelines listed below if you are the first to report the issue to us using the Bugcrowd portal.
To encourage responsible disclosure, Netflix will not bring a lawsuit against you or ask law enforcement to investigate you if we determine that your research and disclosure meets these requirements and guidelines.
If you have any questions regarding the Netflix program, please reach out to firstname.lastname@example.org.
Primary Targets Overview
Primary targets make up the Netflix.com user experience. Valid vulnerabilities submitted against primary targets will result in higher payouts than secondary applications (see “Primary Target Reward Guidelines” below).
api-*.netflix.com, api.netflix.com, *.prod.ftl.netflix.com, *.prod.cloud.netflix.com, *.prod.dradis.netflix.com
The primary of the Netflix experience is driven by microservices that are hosted and called through our API. You may see the API referenced as api*.netflix.com as well as www.netflix.com/api/*.
The primary Netflix experience is hosted on this top level domain. The UI uses a combination of React JS and Node.
Secure static assets are hosted on this domain.
Ichnaea is a logging endpoint used to collect client information.
Beacon is a logging endpoint used to collect client information from member's browsers and streaming devices.
Please note that customerevents.netflix.com, nmtracking.netflix.com, and presentationtracking.netflix.com are all alias of beacon.netflix.com. Submissions containing variations of the URL will not be treated as unique.
Our Open-Connect CDN serves video content over this domain.
Static content is served over this domain.
Static content is served over this domain.
Static content is served over this domain.
Our help site provides a knowledge base and customer service chat.
Dockhand is used for tracking ads.
Netflix partner page
Mobile Targets Overview
Netflix Mobile Application for iOS: Can be downloaded here.
Netflix Mobile Application for Android: Can be downloaded here.
Corporate Targets Overview (Netflix.com Google G Suite)
Insecure usage or misconfiguration of the G Suite instance associated with ONLY the netflix.com domain (NOT any subdomains such as subdomain.netflix.com or ANY OTHER domains such as netflixcs.com). Please note that this is limited to a vulnerability in Netflix’s usage and configuration of G Suite, and not G Suite itself.
Corporate target submissions must include information to help us understand root cause.
Device & Content Authorization Targets Overview
Methods of subverting Netflix content authorization systems to achieve video playback on unauthorized devices are in scope. Examples include circumventing the content authorization systems, obtaining private keys used for authorization, etc. Only playback of full content is in scope—supplemental content such as trailers, images etc. is not in scope.
Private keys used for video content decryption are in scope. Reports must contain private key material which enables decryption of video streams at the time reported. Groups of keys discovered at the same time (e.g. leaked together) or using the same methods (shared vulnerability across multiple devices) will only qualify for a single reward. Submissions related to screenshots or screen recording are not in scope. Submissions must include actual private key material.
Reports must contain specific, clearly articulated and actionable details relating to how the keys were discovered or extracted to qualify for a reward.
Secondary Targets Overview
Secondary targets are systems that have less impact on the primary Netflix experience, and so will be paid at a lower rate than primary targets (see “Secondary Reward Guidelines” below). In addition, valid vulnerabilities for these submissions will only be considered for risks P3 or higher.
Public Netflix web applications not related to the web browser www.netflix.com experience are secondary targets.
Microsites are sites that Netflix typically publishes for promotion or in support of Netflix titles.
Out of Scope (PLEASE READ)
- Third party websites or systems hosted by non-Netflix entities
- Netflix client applications (except mobile and content authorization targets specified above)
In addition, findings that fall into the “Excluded Submission Types” listed below will also be flagged as out of scope.
If you have a concern about whether a potential submission is in-scope, please first validate that it is demonstrably owned by Netflix, and carefully read the "Out of Scope", "Excluded Submission Types", and the "Targets" sections. If it is still unclear but you believe it should still be considered, please submit via the program ONLY (instead of alternate channels like email), and include a few sentences describing your judgement regarding scope. Submissions that demonstrate thoughtful consideration for scope but that we ultimately do not act on will receive a "Not Applicable" status, rather than "Out Of Scope" with negative points.
Netflix wishes to incentivize broad, information-rich vulnerability submissions to our program. Please note that Netflix generally only issues a reward if we pursue a change based on the researcher submission. For certain vulnerabilities which may be present in different parts of a web application or view, Netflix may provide, at its discretion, an additional reward for those reports which detail multiple vectors for injections, XSS, or similar. This reward is in addition to the typical award ranges detailed below.
If your submission impacts a web application listed in the “Primary Targets Overview” section above and meets the other applicable requirements (e.g., not an Excluded Submission Type), these are the ranges of rewards that we typically choose to provide. For definitions of P1 - P4, see Bugcrowd’s Vulnerability Rating Taxonomy (https://bugcrowd.com/vulnerability-rating-taxonomy).
|P1||$4,000 - $20,000|
|P2||$1,500 - $4,000|
|P3||$500 - $1,500|
|P4||$200 - $500|
If your submission impacts a mobile application listed in the "Mobile Targets Overview" section, is a priority P1, or P2 (P3, P4 and P5 will not be accepted), and meets other applicable requirements (e.g., not an Excluded Submission Type), these are the ranges of rewards we typically choose to provide:
|P1||$1,500 - $5,000|
|P2||$500 - $1,500|
If your submission impacts a target listed in the "Corporate Targets Overview" section, is a priority P1, or P2 (P3, P4 and P5 will not be accepted), and meets other applicable requirements (e.g. not an Excluded Submission Type), these are the ranges of rewards we typically choose to provide:
|P1||$2,000 - $10,000|
|P2||$500 - $2,000|
Content Authorization Targets
Since this category is not in Bugcrowd’s Vulnerability Rating Taxonomy, valid reports will be categorized as P2 or P3. P2 targets include methods of subverting content authorization or obtaining private keys. P3 targets include leaked private keys for content decryption. Submissions of hardware-backed private keys (i.e. from a TEE) & key exfiltration methods will have higher payouts than submissions of software-backed private keys & key exfiltration methods.
If your submission impacts a target listed in the "Content Authorization Targets Overview" section, and meets other applicable requirements (e.g. not an Excluded Submission Type), these are the ranges of rewards we typically choose to provide:
|P2||$1000 - $5000|
|P3||$300 - $1000|
We encourage researchers to focus on primary targets as this will result in the highest payouts and quickest response time. If your submission impacts a web application list in the "Secondary Targets Overview" section, is a priority P1, P2 or P3 (P4 and P5 will not be accepted), and meets other applicable requirements (e.g., not an Excluded Submission Type), these are the ranges of rewards we typically choose to provide:
|P1||$1,500 - $4,000|
|P2||$500 - $1,500|
|P3||$200 - $500|
We encourage researchers to focus their efforts in the following areas:
- Cross Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- SQL Injection (SQLi)
- Authentication related issues
- Authorization related issues
- Data Exposure
- Redirection attacks
- Remote Code Execution
- Business Logic
- MSL Protocol (https://github.com/Netflix/msl)
- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories
- Mobile-specific API vulnerabilities
Excluded Submission Types
Vulnerability reports which do not include careful manual validation - for example, reports based only on results from automated tools and scanners or which describe theoretical attack vectors without proof of exploitability - will be closed as Not Applicable.
The Netflix Bug Bounty program follows Bugcrowd’s Vulnerability Rating Taxonomy with some additional vulnerability classes we consider to be excluded below:
- Cookie valid after logout
- Cookie valid after password change/reset
- Cookie expiration
- Cookie migration/sharing
- Forgot password autologin
- Autologin token reuse
- Static content over HTTP
- Free trials
- Same Site Scripting
- Physical Testing
- Social Engineering
- For example, attempts to steal cookies, fake login pages to collect credentials
- Denial of service attacks
- Resource Exhaustion attacks
- Mail Server Domain Misconfiguration (including email spoofing, missing DMARC, SPF/DKIM, etc.)
- Issues related to rate limiting
- Login or Forgot Password page brute force and account lockout not enforced
- Services listening on port 80
- Internal IP address disclosure
- Issues related to cross-domain policies for software such as flash, silverlight etc. without evidence of an exploitable vulnerability
- Username / Email Enumeration
- via Login Page error message
- via Forgot Password error message
- via Registration
- Weak password policies
- Weak Captcha / Captcha bypass
- Vulnerabilities impacting only old/end-of-life browsers/plugins including:
- Issues that have had a patch available from the vendor for at least 6 months
- Issues on software that is no longer maintained (announced as unsupported/end-of-life or no patches issued in at least 6 months)
- Vulnerabilities primarily caused by browser/plugin defects and not representative of defects in the security of Netflix systems or software (e.g. UXSS)
- Reports relating to Symantec root certificates
- Vulnerability reports related to the reported version numbers of web servers, services, or frameworks
- Vulnerability reports relating to sites or network devices not owned by Netflix
- Vulnerability reports that require a large amount of user cooperation to perform, unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g. disabling browser security features, sending the attacker critical information to complete the attack, guiding the user through a particular flow and requiring them to enter malicious code themselves, etc.)
- For Device & Content Authorization Targets: Vulnerabilities from already publicly broken protocols (e.g. HDCP v1.4)
Your testing must comply with applicable laws. This program is not an offer of employment. Whether to pay a reward and in what amount is at Netflix’s discretion. You are responsible for any taxes associated with a reward you receive. We may modify or cancel this program at any time.