Netflix’s goal is to deliver joy to our members around the world, and it is the security team's job to keep our members, partners, and employees secure. We have been engaging with the security community to achieve this goal through programs like responsible disclosure and private bug bounty for a number of years. Our public bug bounty program aims to continue improving the security of our products and services while strengthening our relationship with the community.
We require that all researchers:
- Do not access customer or employee personal information, pre-release Netflix content, or Netflix confidential information. If you accidentally access any of these, please stop testing and submit the vulnerability.
- Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.
- Do not degrade the Netflix user experience, disrupt production systems, or destroy data during security testing.
- Perform research only within the scope set out below.
- Use the Bugcrowd report submission form to report vulnerability information to us.
- Collect only the information necessary to demonstrate the vulnerability.
- Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar using the Bugcrowd submission form (do not use third party file sharing sites).
- When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.
- Securely delete Netflix information that may have been downloaded, cached, or otherwise stored on the systems used to perform the research.
If you fulfill these requirements, Netflix will:
- Work with you to understand and attempt to resolve the issue quickly (confirming the report within 7 days of submission)
- Recognize your contribution to our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.
- Pay you for your research for unique vulnerabilities that meet the guidelines listed below if you are the first to report the issue to us using the Bugcrowd portal.
To encourage responsible disclosure, Netflix will not bring a lawsuit against you or ask law enforcement to investigate you if we determine that your research and disclosure meets these requirements and guidelines. If you have questions about responsible disclosure of results for a submission, please reach out to us via the submission page.
If you have any questions regarding the Netflix program, please reach out to firstname.lastname@example.org.
Netflix wishes to incentivize broad, information-rich vulnerability submissions to our program. Please note that Netflix generally only issues a reward if we pursue a change based on the researcher submission. For certain vulnerabilities which may be present in different parts of a web application or view, Netflix may provide, at its discretion, an additional reward for those reports which detail multiple vectors for injections, XSS, or similar. This reward is in addition to the award ranges detailed below.
Scope and rewards
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email email@example.com. We will address your issue as soon as possible.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
This bounty requires explicit permission to disclose the results of a submission.