Netflix’s goal is to deliver joy to our 117+ million members around the world, and it's the security team's job to keep our members, partners, and employees secure. We have been engaging with the security community to achieve this goal through programs like responsible disclosure and private bug bounty over the past 5 years. We are now publicly launching our bug bounty program through the Bugcrowd platform to continue improving the security of our products and services while strengthening our relationship with the community.
We require that all researchers:
- Do not access customer or employee personal information, pre-release Netflix content, or Netflix confidential information. If you accidentally access any of these, please stop testing and submit the vulnerability.
- Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.
- Do not degrade the Netflix user experience, disrupting production systems, or destroy data during security testing.
- Perform research only within the scope set out below.
- Use the Bugcrowd report submission form to report vulnerability information to us.
- Collect only the information necessary to demonstrate the vulnerability.
- Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar using the Bugcrowd submission form (do not use third party file sharing sites).
- When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.
- Securely delete Netflix information that may have been downloaded, cached, or otherwise stored on the systems used to perform the research.
- Follow the Bugcrowd “Coordinated Disclosure” rules.
If you fulfill these requirements, Netflix will:
- Work with you to understand and attempt to resolve the issue quickly (confirming the report within 7 days of submission);
- Recognize your contribution to our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.
- Pay you for your research for unique vulnerabilities that meet the guidelines listed below if you are the first to report the issue to us using the Bugcrowd portal.
To encourage responsible disclosure, Netflix will not bring a lawsuit against you or ask law enforcement to investigate you if we determine that your research and disclosure meets these requirements and guidelines.
If you have any questions regarding the Netflix program, please reach out to firstname.lastname@example.org.
Primary Targets Overview
Primary targets make up the Netflix.com user experience. Valid vulnerabilities submitted against primary targets will result in higher payouts than secondary applications (see “Primary Target Reward Guidelines” below).
The primary of the Netflix experience is driven by microservices that are hosted and called through our API. You may see the API referenced as api*.netflix.com as well as www.netflix.com/api/*.
The primary Netflix experience is hosted on this top level domain. The UI uses a combination of React JS and Node.
Secure static assets are hosted on this domain.
Ichnaea is a logging endpoint used to collect client information.
Beacon is a logging endpoint used to collect client information from member's browsers and streaming devices.
Please note that customerevents.netflix.com, nmtracking.netflix.com, and presentationtracking.netflix.com are all alias of beacon.netflix.com. Submissions containing variations of the URL will not be treated as unique.
Our Open-Connect CDN serves video content over this domain.
Static content is served over this domain.
Static content is served over this domain.
Our help site provides a knowledge base and customer service chat.
Dockhand is used for tracking ads.
Mobile Targets Overview
Netflix Mobile Application for iOS: Can be downloaded here.
Netflix Mobile Application for Android: Can be downloaded here.
Corporate Targets Overview (Netflix.com Google G Suite)
Insecure usage or misconfiguration of the G Suite instance associated with ONLY the netflix.com domain (NOT any subdomains such as subdomain.netflix.com or ANY OTHER domains such as netflixcs.com). Please note that this is limited to a vulnerability in Netflix’s usage and configuration of G Suite, and not G Suite itself.
Secondary Targets Overview
Secondary targets are systems that have less impact on the primary Netflix experience, and so will be paid at a lower rate than primary targets (see “Secondary Reward Guidelines” below). In addition, valid vulnerabilities for these submissions will only be considered for risks P3 or higher.
Public Netflix web applications not related to the web browser www.netflix.com experience are secondary targets.
Out of Scope (PLEASE READ)
- Third party websites or systems hosted by non-Netflix entities
- Netflix device client applications
In addition, findings that fall into the “Excluded Submission Types” listed below will also be flagged as out of scope.
Netflix wishes to incentivize broad, information-rich vulnerability submissions to our program. For certain vulnerabilities which may be present in different parts of a web application or view, Netflix may provide, at its discretion, an additional reward for those reports which detail multiple vectors for injections, XSS, or similar. This reward is in addition to the typical award ranges detailed below.
Optional: Netflix will award a 15% premium on valid and accepted submissions for testing performed from a static IP address and the string “bugcrowd-<username>” appended to your HTTP user agent string. This info should be reported in the submission with relevant credential details. The correlating information will be used to facilitate a more accurate understanding of testing coverage specific to the bounty program.
If your submission impacts a web application listed in the “Primary Targets Overview” section above and meets the other applicable requirements (e.g., not an Excluded Submission Type), these are the ranges of rewards that we typically choose to provide. For definitions of P1 - P4, see Bugcrowd’s Vulnerability Rating Taxonomy (https://bugcrowd.com/vulnerability-rating-taxonomy).
|P1||$4,000 - $20,000|
|P2||$1,500 - $4,000|
|P3||$500 - $1,500|
|P4||$200 - $500|
If your submission impacts a mobile application listed in the "Mobile Targets Overview" section, is a priority P1, or P2 (P3, P4 and P5 will not be accepted), and meets other applicable requirements (e.g., not an Excluded Submission Type), these are the ranges of rewards we typically choose to provide:
|P1||$1,500 - $5,000|
|P2||$500 - $1,500|
If your submission impacts a target listed in the "Corporate Targets Overview" section, is a priority P1, or P2 (P3, P4 and P5 will not be accepted), and meets other applicable requirements (e.g. not an Excluded Submission Type), these are the ranges of rewards we typically choose to provide:
|P1||$2,000 - $10,000|
|P2||$500 - $2,000|
We encourage researchers to focus on primary targets as this will result in the highest payouts and quickest response time. If your submission impacts a web application list in the "Secondary Targets Overview" section, is a priority P1, P2 or P3 (P4 and P5 will not be accepted), and meets other applicable requirements (e.g., not an Excluded Submission Type), these are the ranges of rewards we typically choose to provide:
|P1||$1,500 - $4,000|
|P2||$500 - $1,500|
|P3||$200 - $500|
We encourage researchers to focus their efforts in the following areas:
- Cross Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- SQL Injection (SQLi)
- Authentication related issues
- Authorization related issues
- Data Exposure
- Redirection attacks
- Remote Code Execution
- Business Logic
- MSL Protocol (https://github.com/Netflix/msl)
- Particularly clever vulnerabilities or unique issues that do not fall into explicit categories
- Mobile-specific API vulnerabilities
Excluded Submission Types
Vulnerability reports which do not include careful manual validation - for example, reports based only on results from automated tools and scanners or which describe theoretical attack vectors without proof of exploitability - will be closed as Not Applicable.
The Netflix Bug Bounty program follows Bugcrowd’s Vulnerability Rating Taxonomy with some additional vulnerability classes we consider to be excluded below:
- Cookie valid after logout
- Cookie valid after password change/reset
- Cookie expiration
- Cookie migration/sharing
- Forgot password autologin
- Autologin token reuse
- Static content over HTTP
- Vulnerabilities related to streaming and offline playback.
- Free trials
- Same Site Scripting
- Physical Testing
- Social Engineering
- For example, attempts to steal cookies, fake login pages to collect credentials
- Denial of service attacks
- Resource Exhaustion attacks
- Issues related to rate limiting
- Login or Forgot Password page brute force and account lockout not enforced
- Services listening on port 80
- Internal IP address disclosure
- Issues related to cross-domain policies for software such as flash, silverlight etc. without evidence of an exploitable vulnerability
- Username / Email Enumeration
- via Login Page error message
- via Forgot Password error message
- via Registration
- Weak password policies
- Weak Captcha / Captcha bypass
- Vulnerabilities impacting only old/end-of-life browsers/plugins including:
- Issues that have had a patch available from the vendor for at least 6 months
- Issues on software that is no longer maintained (announced as unsupported/end-of-life or no patches issued in at least 6 months)
- Vulnerabilities primarily caused by browser/plugin defects and not representative of defects in the security of Netflix systems or software (e.g. UXSS)
- Reports relating to Symantec root certificates
- Vulnerability reports related to the reported version numbers of web servers, services, or frameworks
- Vulnerability reports relating to sites or network devices not owned by Netflix
- Vulnerability reports that require a large amount of user cooperation to perform, unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g. disabling browser security features, sending the attacker critical information to complete the attack, guiding the user through a particular flow and requiring them to enter malicious code themselves, etc.)
Your testing must comply with applicable laws. This program is not an offer of employment. Whether to pay a reward and in what amount is in Netflix’s discretion. You are responsible for any taxes associated with a reward you receive. We may modify or cancel this program at any time.