Netflix’s goal is to deliver joy to our members around the world, and it is the security team's job to keep our members, partners, and employees secure. We have been engaging with the security community to achieve this goal through programs like responsible disclosure and private bug bounty for a number of years. Our public bug bounty program aims to continue improving the security of our products and services while strengthening our relationship with the community.
We require that all researchers:
If you fulfill these requirements, Netflix will:
To encourage responsible disclosure, Netflix will not bring a lawsuit against you or ask law enforcement to investigate you if we determine that your research and disclosure meets these requirements and guidelines. If you have questions about responsible disclosure of results for a submission, please reach out to us via the submission page.
If you have any questions regarding the Netflix program, please reach out to support@bugcrowd.com.
Netflix wishes to incentivize broad, information-rich vulnerability submissions to our program. Please note that Netflix generally only issues a reward if we pursue a change based on the researcher submission. For certain vulnerabilities which may be present in different parts of a web application or view, Netflix may provide, at its discretion, an additional reward for those reports which detail multiple vectors for injections, XSS, or similar. This reward is in addition to the award ranges detailed below.
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
This bounty requires explicit permission to disclose the results of a submission.
Scope Type | Scope Name |
---|---|
android_application | Netflix Mobile Application for Android |
api | api*.netflix.com |
api | *.prod.ftl.netflix.com |
api | *.prod.cloud.netflix.com |
api | *.prod.dradis.netflix.com |
ios_application | Netflix Mobile Application for iOS |
undefined | Open Source - Consoleme |
undefined | Open Source - Weep |
undefined | Open Source - Zuul |
undefined | Corporate Targets |
undefined | Content Authorization Findings |
undefined | Secondary Targets (read below) |
undefined | Microsites |
undefined | Open Source - Atlas |
undefined | Open Source - Conductor |
undefined | Open Source - Dispatch |
undefined | Open Source - Metaflow |
undefined | Open Source - Spectator |
web_application | www.netflix.com |
web_application | secure.netflix.com |
web_application | ichnaea.netflix.com |
web_application | *.nflxvideo.net |
web_application | *.nflxext.com |
web_application | *.nflximg.net |
web_application | *.nflxso.net |
web_application | help.netflix.com |
web_application | dockhand.netflix.com |
web_application | beacon.netflix.com |
web_application | presentationtracking.netflix.com |
web_application | nmtracking.netflix.com |
web_application | customerevents.netflix.com |
web_application | meechum.netflix.com |
Firebounty have crawled on 2018-03-22 the program Netflix on the platform Bugcrowd.
FireBounty © 2015-2024