Launching the Netflix Public Bug Bounty Program

by Sunil Agrawal, Scott Behrens, Dave King, Astha Singhal, Patrick Thomas, Andy Hoernecke, Madan Sriraman

Netflix’s goal is to deliver joy to our 117+ million members around the world, and it’s the security team’s job to keep our members, partners and employees secure. We have been engaging with the security community to achieve this goal through programs like responsible disclosure and private bug bounty over the past 5 years. We are now publicly launching our bug bounty program through the Bugcrowd platform to continue improving the security of our products and services while strengthening our relationship with the community.

We first started our responsible vulnerability disclosure program in 2013 to provide an avenue for researchers to report security issues to us. To date, we have received and remediated 190 valid issues from this program. Once we felt comfortable with our processes around handling external reports efficiently, we dipped our toe in the bug bounty space with a private program launch in September 2016. Over the past 18 months, we have gradually increased the scope as well as the number of researchers in the program. We started our program with a more limited scope and 100 of Bugcrowd’s top researchers. In preparation for our public launch, we have increased our scope dramatically over the last year and have now invited over 700 researchers. We have attempted to fine tune things like triage quality, response time and researcher interactions to build a quality program that researchers like to participate in.

Since the launch of our private bug bounty program, we have received 145 valid submissions (out of 275 total) of various criticality levels across the Netflix services. These submissions have helped us improve our external security posture and identify systemic security improvements across our ecosystem. We have also made efforts to stay engaged with our researchers via events such as a Defcon Meet and Greet and a recent bug bash. We work closely with researchers to evaluate the impact of a vulnerability and reward accordingly. So far, the highest reward in our program is a $15,000 payout for a critical vulnerability.

Netflix has a unique culture of Freedom and Responsibility that enables us to run an effective bug bounty program. Engineers at Netflix have a high degree of ownership for the security of their products and this helps us address reports quickly. Our security engineers also have the autonomy and freedom to make reward decisions quickly based on the reward matrix and bug severity. This ultimately helps create an efficient and seamless experience for researchers which is important for engagement in the program.

Netflix works with security researchers that participate in our program to understand and attempt to acknowledge reports quickly, within seven days of submission. Our current report acknowledgement average is 2.7 days. We also recognize researcher contributions on our Security Researcher Hall of Fame if they are the first to report the issue and we make a code or configuration change based on the report. We pay researchers for unique vulnerabilities that meet the guidelines of our scope as soon as we validate them. Finally, through our public program we will allow coordinated disclosure when appropriate for valid, remediated submissions. Please see our program terms for all details. We are so excited to launch our Public Program and we hope to expand our researcher community.