Netflix

  • Points – $15,000 per vulnerability
  • Managed by Bugcrowd

Program stats

255 vulnerabilities rewarded

Validation within 2 days
75% of submissions are accepted or rejected within 2 days

$957.89 average payout (last 3 months)

Latest hall of famers

Recently joined this program

Netflix’s goal is to deliver joy to our 117+ million members around the world, and it's the security team's job to keep our members, partners, and employees secure. We have been engaging with the security community to achieve this goal through programs like responsible disclosure and private bug bounty over the past 5 years. We are now publicly launching our bug bounty program through the Bugcrowd platform to continue improving the security of our products and services while strengthening our relationship with the community.


Guidelines


We require that all researchers:

  • Do not access customer or employee personal information, pre-release Netflix content, or Netflix confidential information. If you accidentally access any of these, please stop testing and submit the vulnerability.
  • Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.
  • Do not degrade the Netflix user experience, disrupting production systems, or destroy data during security testing.
  • Perform research only within the scope set out below.
  • Use the Bugcrowd report submission form to report vulnerability information to us.
  • Collect only the information necessary to demonstrate the vulnerability.
  • Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar using the Bugcrowd submission form (do not use third party file sharing sites).
  • When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.
  • Follow the Bugcrowd “Coordinated Disclosure” rules.

If you fulfill these requirements, Netflix will:

  • Work with you to understand and attempt to resolve the issue quickly (confirming the report within 7 days of submission);
  • Recognize your contribution to our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.
  • Pay you for your research for unique vulnerabilities that meet the guidelines listed below if you are the first to report the issue to us using the Bugcrowd portal.

To encourage responsible disclosure, Netflix will not bring a lawsuit against you or ask law enforcement to investigate you if we determine that your research and disclosure meets these requirements and guidelines.

Targets

In scope

Target name Type
api*.netflix.com Other
www.netflix.com Other
secure.netflix.com Other
ichnaea.netflix.com Other
*.nflxvideo.net Other
*.nflxext.com Other
*.nflximg.net Other
help.netflix.com Other
dockhand.netflix.com Other
beacon.netflix.com Other
presentationtracking.netflix.com Other
nmtracking.netflix.com Other
customerevents.netflix.com Other
Netflix Mobile Application for iOS iOS
Netflix Mobile Application for Android Android

Target Overview


Primary Targets Overview

Primary targets make up the Netflix.com user experience. Valid vulnerabilities submitted against primary targets will result in higher payouts than secondary applications (see “Primary Target Reward Guidelines” below).

api-*.netflix.com, api.netflix.com
The primary of the Netflix experience is driven by microservices that are hosted and called through our API. You may see the API referenced as api*.netflix.com as well as www.netflix.com/api/*.

www.netflix.com
The primary Netflix experience is hosted on this top level domain. The UI uses a combination of React JS and Node.

secure.netflix.com
Secure static assets are hosted on this domain.

ichnaea.netflix.com
Ichnaea is a logging endpoint used to collect client information.

beacon.netflix.com
Beacon is a logging endpoint used to collect client information from member's browsers and streaming devices.

Please note that customerevents.netflix.com, nmtracking.netflix.com, and presentationtracking.netflix.com are all alias of beacon.netflix.com. Submissions containing variations of the URL will not be treated as unique.

*.nflxvideo.net
Our Open-Connect CDN serves video content over this domain.

*.nflxext.com
Static content is served over this domain.

*.nflximg.net
Static content is served over this domain.

help.netflix.com
Our help site provides a knowledge base and customer service chat.

dockhand.netflix.com
Dockhand is used for tracking ads.

Mobile Targets Overview

Netflix Mobile Application for iOS: Can be downloaded here.

Netflix Mobile Application for Android: Can be downloaded here.

Secondary Targets Overview

Secondary targets are systems that have less impact on the primary Netflix experience, and so will be paid at a lower rate than primary targets (see “Secondary Reward Guidelines” below). In addition, valid vulnerabilities for these submissions will only be considered for risks P3 or higher.

Public Netflix web applications not related to the web browser www.netflix.com experience.

Out of Scope (PLEASE READ)


  • Third party websites hosted by non-Netflix entities
  • jobs.netflix.com
  • media.netflix.com
  • ir.netflix.com
  • Netflix device client applications

In addition, findings that fall into the “Excluded Submission Types” listed below will also be flagged as out of scope.

Reward Guidelines


Netflix wishes to incentivize broad, information-rich vulnerability submissions to our program. For certain vulnerabilities which may be present in different parts of a web application or view, Netflix may provide, at its discretion, an additional reward for those reports which detail multiple vectors for injections, XSS, or similar. This reward is in addition to the typical award ranges detailed below.

Optional: Netflix will award a 15% premium on valid and accepted submissions for testing performed from a static IP address and the string “bugcrowd-<username>” appended to your HTTP user agent string. This info should be reported in the submission with relevant credential details. The correlating information will be used to facilitate a more accurate understanding of testing coverage specific to the bounty program.

Primary Targets

If your submission impacts a web application listed in the “Primary Targets Overview” section above and meets the other applicable requirements (e.g., not an Excluded Submission Type), these are the ranges of rewards that we typically choose to provide. For definitions of P1 - P4, see Bugcrowd’s Vulnerability Rating Taxonomy (https://bugcrowd.com/vulnerability-rating-taxonomy).

Priority Reward amount
P1 $3,000 - $15,000
P2 $1,000 - $3,000
P3 $300 - $1,000
P4 $100 - $300

Mobile Services

If your submission impacts a mobile application listed in the "Mobile Targets Overview" section, is a priority P1, or P2 (P3, P4 and P5 will not be accepted), and meets other applicable requirements (e.g., not an Excluded Submission Type), these are the ranges of rewards we typically choose to provide:

Priority Reward amount
P1 $1,000 - $5,000
P2 $300 - $1,000

Secondary Targets

We encourage researchers to focus on primary targets as this will result in the highest payouts and quickest response time. If your submission impacts a web application list in the "Secondary Targets Overview" section, is a priority P1, P2 or P3 (P4 and P5 will not be accepted), and meets other applicable requirements (e.g., not an Excluded Submission Type), these are the ranges of rewards we typically choose to provide:

Priority Reward amount
P1 $1,000 - $3,000
P2 $300 - $1,000
P3 $100 - $300

Focus Areas

We encourage researchers to focus their efforts in the following areas:

  • Cross Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • SQL Injection (SQLi)
  • Authentication related issues
  • Authorization related issues
  • Data Exposure
  • Redirection attacks
  • Remote Code Execution
  • Business Logic
  • MSL Protocol (https://github.com/Netflix/msl)
  • Particularly clever vulnerabilities or unique issues that do not fall into explicit categories
  • Mobile-specific API vulnerabilities

Excluded Submission Types

Vulnerability reports which do not include careful manual validation - for example, reports based only on results from automated tools and scanners or which describe theoretical attack vectors without proof of exploitability - will be closed as Not Applicable.

The Netflix Bug Bounty program follows Bugcrowd’s Vulnerability Rating Taxonomy with some additional vulnerability classes we consider to be excluded below:

  • Cookie valid after logout
  • Cookie valid after password change/reset
  • Cookie expiration
  • Cookie migration/sharing
  • Forgot password autologin
  • Autologin token reuse
  • Static content over HTTP
  • Vulnerabilities related to streaming and offline playback.
  • Free trials
  • Same Site Scripting
  • Physical Testing
  • Social Engineering
    • For example, attempts to steal cookies, fake login pages to collect credentials
  • Phishing
    • Denial of service attacks
    • Resource Exhaustion attacks
  • Issues related to rate limiting
  • Login or Forgot Password page brute force and account lockout not enforced
  • Services listening on port 80
  • Internal IP address disclosure
  • Issues related to cross-domain policies for software such as flash, silverlight etc. without evidence of an exploitable vulnerability
  • Username / Email Enumeration
    • via Login Page error message
    • via Forgot Password error message
    • via Registration
  • Weak password policies
  • Weak Captcha / Captcha bypass
  • Vulnerabilities impacting only old/end-of-life browsers/plugins including:
    • Issues that have had a patch available from the vendor for at least 6 months
    • Issues on software that is no longer maintained (announced as unsupported/end-of-life or no patches issued in at least 6 months)
  • Vulnerabilities primarily caused by browser/plugin defects and not representative of defects in the security of Netflix systems or software (e.g. UXSS)
  • Vulnerability reports related to the reported version numbers of web servers, services, or frameworks
  • Vulnerability reports that require a large amount of user cooperation to perform, unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g. disabling browser security features, sending the attacker critical information to complete the attack, guiding the user through a particular flow and requiring them to enter malicious code themselves, etc.)

Additional Terms

Your testing must comply with applicable laws. This program is not an offer of employment. Whether to pay a reward and in what amount is in Netflix’s discretion. You are responsible for any taxes associated with a reward you receive. We may modify or cancel this program at any time.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.