Since the launch of its bug bounty program in 2016, Netflix has paid out more than $1 million for vulnerabilities discovered in its systems and products.
The streaming giant announced on Tuesday that over 5,600 researchers have contributed to the program, submitting nearly 8,000 unique vulnerability reports. Rewards have been distributed for 845 vulnerabilities, with over a quarter of these rated as ‘critical severity’ or ‘high severity’.
Netflix’s Transition to HackerOne
Netflix initially launched its public bug bounty program in 2018, using Bugcrowd to host and manage the initiative. Recently, the company announced a transition of the program to the HackerOne platform. This move promises to bring enhanced triage, increased bounty ranges, an expanded scope, exclusive private programs, and researcher feedback loops.
Researchers can earn between $300 and $5,000 for uncovering content authorization issues, such as subverting content authorization and obtaining private keys. Critical vulnerabilities impacting Netflix.com can fetch up to $20,000, while flaws related to corporate assets can earn researchers up to $10,000. The bug bounty program also covers vulnerabilities in mobile applications.
A recent demonstration by a researcher highlighted vulnerabilities in Microsoft’s PlayReady content access and protection technology. These vulnerabilities enable the illegal download of movies from popular streaming services, including Netflix.
The PlayReady attack’s eligibility for Netflix’s bug bounty program remains unclear. Adam Gowdiak of Poland-based AG Security Research, who discovered the PlayReady vulnerabilities, suggested that his research is worth much more than what Microsoft and other impacted companies are willing to offer through their bug bounty programs, given its widespread impact and the effort involved. This highlights the ongoing challenges and negotiations around the valuation of security research, particularly when it involves significant and far-reaching vulnerabilities.
Explore more cybersecurity articles
