45466 policies in database
Link to program      
2018-03-22
2019-09-26
Netflix logo
Thank
Gift
HOF
Reward

Reward

200 $ 

Netflix

Netflix’s goal is to deliver joy to our members around the world, and it is the security team's job to keep our members, partners, and employees secure. We have been engaging with the security community to achieve this goal through programs like responsible disclosure and private bug bounty for a number of years. Our public bug bounty program aims to continue improving the security of our products and services while strengthening our relationship with the community.

Guidelines

We require that all researchers:

  • Do not access customer or employee personal information, pre-release Netflix content, or Netflix confidential information. If you accidentally access any of these, please stop testing and submit the vulnerability.
  • Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.
  • Do not degrade the Netflix user experience, disrupt production systems, or destroy data during security testing.
  • Perform research only within the scope set out below.
  • Use the Bugcrowd report submission form to report vulnerability information to us.
  • Collect only the information necessary to demonstrate the vulnerability.
  • Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar using the Bugcrowd submission form (do not use third party file sharing sites).
  • When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.
  • Securely delete Netflix information that may have been downloaded, cached, or otherwise stored on the systems used to perform the research.

If you fulfill these requirements, Netflix will:

  • Work with you to understand and attempt to resolve the issue quickly (confirming the report within 7 days of submission)
  • Recognize your contribution to our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.
  • Pay you for your research for unique vulnerabilities that meet the guidelines listed below if you are the first to report the issue to us using the Bugcrowd portal.

To encourage responsible disclosure, Netflix will not bring a lawsuit against you or ask law enforcement to investigate you if we determine that your research and disclosure meets these requirements and guidelines. If you have questions about responsible disclosure of results for a submission, please reach out to us via the submission page.

If you have any questions regarding the Netflix program, please reach out to support@bugcrowd.com.

Reward Guidelines

Netflix wishes to incentivize broad, information-rich vulnerability submissions to our program. Please note that Netflix generally only issues a reward if we pursue a change based on the researcher submission. For certain vulnerabilities which may be present in different parts of a web application or view, Netflix may provide, at its discretion, an additional reward for those reports which detail multiple vectors for injections, XSS, or similar. This reward is in addition to the award ranges detailed below.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.

In Scope

Scope Type Scope Name
android_application

Netflix Mobile Application for Android

api

api*.netflix.com

api

*.prod.ftl.netflix.com

api

*.prod.cloud.netflix.com

api

*.prod.dradis.netflix.com

ios_application

Netflix Mobile Application for iOS

undefined

Open Source - Consoleme

undefined

Open Source - Weep

undefined

Open Source - Zuul

undefined

Corporate Targets

undefined

Content Authorization Findings

undefined

Secondary Targets (read below)

undefined

Microsites

undefined

Open Source - Atlas

undefined

Open Source - Conductor

undefined

Open Source - Dispatch

undefined

Open Source - Metaflow

undefined

Open Source - Spectator

web_application

www.netflix.com

web_application

secure.netflix.com

web_application

ichnaea.netflix.com

web_application

*.nflxvideo.net

web_application

*.nflxext.com

web_application

*.nflximg.net

web_application

*.nflxso.net

web_application

help.netflix.com

web_application

dockhand.netflix.com

web_application

beacon.netflix.com

web_application

presentationtracking.netflix.com

web_application

nmtracking.netflix.com

web_application

customerevents.netflix.com

web_application

meechum.netflix.com


Firebounty have crawled on 2018-03-22 the program Netflix on the platform Bugcrowd.

FireBounty © 2015-2024

Legal notices | Privacy policy