Netflix’s Private Bug Bounty Programs
Netflix first launched a “responsible vulnerability disclosure program” in 2013 to give security researchers a way to report bugs to the company. Researchers have reported 190 valid issues to Netflix via this program.
After gaining some experience on how to handle reported bugs with this program, Netflix launched a private bug bounty program in September 2016. The company started its program with the 100 of the top security researchers on the Bugcrowd platform. Since then, Netflix has invited over 700 security researchers to join its private program.
The company’s private bug bounty program has received 145 valid issues so far, out of a total of 276 submitted bugs. Netflix said that the reported issues helped the company identify systemic improvements across its ecosystem. It noted that it has paid researchers based on the severity of the bugs they found, with the largest reward being $15,000 for a critical vulnerability.
How Netflix Responds To Bug Reports
The company’s own security engineers are usually the ones to respond to the reported bugs in the products for which they are responsible. They are also the ones to reward the researchers who found the bugs based on a reward matrix and bug severity. This type of flexibility helps the company improve the experience for the researchers who report the bugs.
Netflix said that it’s now able to acknowledge bug reports in an average of 2.7 days and a maximum of seven days. If reported bugs lead to a change of code on Netflix’s side, the first researcher to have reported the bug will be included in Netflix’ Security Researcher Hall of Fame.
The company added that it pays the researchers based on the bugs they report, as long as they meet the guidelines and it can validate them. The company said that it will allow coordinated disclosure when appropriate through its public bug bounty program, after the bugs have been fixed.
Netflix invited all security researchers to see its program terms and join the new public bug bounty program.