Netflix
External Program
Submit bugs directly to this organization
Netflix
Netflix’s goal is to deliver joy to our members around the world, and it is the security team's job to keep our members, partners, and employees secure. We have been engaging with the security community to achieve this goal through programs like responsible disclosure and private bug bounty for a number of years. Our bug bounty program aims to continue improving the security of our products and services while strengthening our relationship with the community.
To encourage responsible disclosure, Netflix will not bring a lawsuit against you or ask law enforcement to investigate you if we determine that your research and disclosure meet these requirements and guidelines. If you have questions about responsible disclosure of results for a submission, please reach out to us via the submission page.
Please collect all relevant information related to your research and provide sufficient details, including proof of concept, videos, and screenshots. Reach out to us through the submissions page, and feel free to include any questions in your report.
Netflix wishes to incentivize broad, information-rich vulnerability submissions to our program, particularly for the Targets we have listed.
Please note that Netflix generally only issues a reward (points and/or bounty) if we pursue a change based on the researcher's submission, and we retain the sole discretion to reward (points and/or bounty) any such submission even if it relates to a target that isn’t listed below.
For certain vulnerabilities that may be present in different parts of a web application or view, Netflix may provide, at its discretion, an additional reward for those reports that detail multiple vectors for injections, XSS, or similar. This reward is in addition to the award ranges detailed below.
Primary targets make up the Netflix.com user experience.
| Severity | Maximum Bounty | Minimum Bounty |
|---|---|---|
| Critical | 25,000 | 5,000 |
| High | 5,000 | 2,000 |
| Medium | 2,000 | 600 |
| Low | 600 | 300 |
Secondary targets are systems that have less impact on the primary Netflix experience, and so will be paid at a lower rate than primary targets (see “Secondary Reward Guidelines” below).
| Severity | Maximum Bounty | Minimum Bounty |
|---|---|---|
| Critical | $5,000 | $2,000 |
| High | $2,000 | $600 |
| Medium | $600 | $300 |
Netflix Mobile application for IOS and Android
| Severity | Maximum Bounty | Minimum Bounty |
|---|---|---|
| Critical | $5,000 | $2,000 |
| High | $2,000 | $600 |
For targets listed in the "Corporate Targets Overview" section, we only reward for the bugs that are critical or High based on the CVSS.
These are the ranges of rewards we typically choose to provide:
| Severity | Maximum Bounty | Minimum Bounty |
|---|---|---|
| Critical | $10,000 | $2,000 |
| High | $2,000 | $500 |
High severity targets include methods of subverting content authorization or obtaining private keys. Medium targets include leaked private keys for content decryption. Submissions of hardware-backed private keys (i.e. from a TEE) & key exfiltration methods will have higher payouts than submissions of software-backed private keys & key exfiltration methods.
| Severity | Maximum Bounty | Minimum Bounty |
|---|---|---|
| High | $5,000 | $1,000 |
| Medium | $1,000 | $300 |
Primary targets make up the Netflix.com user experience. Valid vulnerabilities submitted against primary targets will result in higher payouts than secondary applications (see “Primary Target Reward Guidelines” below).
| Primary Target | Details |
|---|---|
api-*.netflix.com, api.netflix.com, *.prod.ftl.netflix.com, *.prod.cloud.netflix.com, *.prod.dradis.netflix.com | The primary of the Netflix experience is driven by microservices that are hosted and called through our API. You may see the API referenced as api*.netflix.com as well as www.netflix.com/api/*. |
www.netflix.com | The primary Netflix experience is hosted on this top-level domain. The UI uses a combination of React JS and Node. |
Secure.netflix.com | Secure static assets are hosted on this domain. |
ichnaea.netflix.com | Ichnaea is a logging endpoint used to collect client information. |
beacon.netflix.com | Beacon is a logging endpoint used to collect client information from member's browsers and streaming devices. |
Please note that customerevents.netflix.com, nmtracking.netflix.com, and presentationtracking.netflix.com are all alias of beacon.netflix.com. Submissions containing variations of the URL ==will not== be treated as unique._ | |
*.nflxvideo.net | Our Open-Connect CDN serves video content over this domain. |
*.nflxext.com | Static content is served over this domain. |
*.nflximg.net | Static content is served over this domain. |
*.nflxso.net | Static content is served over this domain. |
help.netflix.com | Our help site provides a knowledge base and customer service chat. |
meechum.netflix.com | Netflix partner page |
| Mobile Target | Download |
|---|---|
| Netflix Mobile Application for iOS: | Can be downloaded here. |
| Netflix Mobile Application for Android: | Can be downloaded here. |
Insecure usage or misconfiguration of the G Suite instance associated with ONLY the netflix.com, netflixcontractors.com, and netflixanimation.com domains (NOT any subdomains such as subdomain.netflix.com or ANY OTHER domains such as netflixcs.com). Please note that this is limited to a vulnerability in Netflix’s usage and configuration of G Suite, and not G Suite itself.
Corporate target submissions must include information to help us understand root cause.
Publicly accessible Google Document or Drive Links:
For documents that contain particularly sensitive information (typically personal information or active credentials), we may choose a higher priority and associated payout range, based on impact. We expect this to be rare and on a case-by-case basis, and this determination is made by Netflix.
Please remember: our Guidelines require you to not access customer or employee personal information or Netflix confidential information. If you accidentally access any of these within exposed Google documents, please stop testing and submit the vulnerability.
Methods of subverting Netflix content authorization systems to achieve video playback on unauthorized devices are in scope. Examples include circumventing the content authorization systems, obtaining private keys used for authorization, etc.
in scope.not in scope.Private keys used for video content decryption are in scope.
Reports must contain specific, clearly articulated and actionable details relating to how the keys were discovered or extracted to qualify for a reward.
Secondary targets are systems that have less impact on the primary Netflix experience, and so will be paid at a lower rate than primary targets (see “Secondary Reward Guidelines” below). In addition, valid vulnerabilities for these submissions will only be considered for risks of medium severity or higher.
Public Netflix web applications not related to the web browser www.netflix.com experience are secondary targets.
Microsites Microsites are sites that Netflix typically publishes for promotion or in support of Netflix titles.
Third-party microsites: Not all microsites are hosted by Netflix. Some are hosted by vendors or partners.
Scoping Guidelines: Netflix publishes many projects as open source, but only some projects are in scope. Vulnerabilities will be rewarded as primary or secondary targets as specified below:
| Primary Targets | URL |
|---|---|
| Zuul | https://github.com/Netflix/zuul |
| Secondary Targets | URL |
|---|---|
| Atlas | https://github.com/Netflix/atlas |
| Spectator | https://github.com/Netflix/spectator |
All other Netflix open source projects are not in scope for reward at this time. Please familiarize yourself with the README and SECURITY files (if present) in each project before testing. They will contain more details about the scope, security model, and a list of any excluded issues.
Open Source Reward Guidelines : Open source targets listed above will be paid out on the Primary or Secondary reward scales as specified above. Open Source projects which are not explicitly listed above are not eligible for reward at this time. The priority for these vulnerabilities will be assigned based on the impact to Netflix.
Our reward philosophy is that we reward (points and/or bounty) when we make a change based on sufficient impact to Netflix. However, to ensure that we are incentivizing impactful findings we have a few areas of submissions that are generally not eligible for payments. These will be rewarded with Kudos points only.
Specific areas include:
We may, at our sole discretion, choose to reward particularly impactful and informative submissions on otherwise non-reward-eligible targets. However maximum payouts will come from the explicitly listed targets.
In addition, findings that fall into the “Excluded Submission Types” listed below will also be flagged as out of scope.
If you have a concern about whether a potential submission is in-scope, please first validate that it is demonstrably owned by Netflix, and carefully read the "Out of Scope", "Excluded Submission Types", and the "Targets" sections. If it is still unclear but you believe it should still be considered, please submit via the program ONLY (instead of alternate channels like email), and include a few sentences describing your judgment regarding scope. Submissions that demonstrate thoughtful consideration for scope but that we ultimately do not act on will receive a "Not Applicable" status, rather than "Out Of Scope" with negative points.
We encourage researchers to focus their efforts in the following areas:
Vulnerability reports which do not include careful manual validation - for example, reports based only on results from automated tools and scanners or which describe theoretical attack vectors without proof of exploitability - will be closed as Not Applicable.
Some of the vulnerability classes we consider to be excluded below:
This program or engagement ==does not== allow disclosure. You may ==not== release information about vulnerabilities found in this program or engagement to the public.
#Data Deletion Any data cached or stored during the testing activities must be immediately deleted after report submission. Additionally, any data entered or stored in third-party applications or services as part of the testing process must also be completely deleted. Researchers are responsible for confirming the deletion of all such data and may be required to provide evidence of such deletion.
Your testing must comply with applicable laws. This program is not an offer of employment. Whether to pay a reward and in what amount is at Netflix’s discretion. You are responsible for any taxes associated with a reward you receive. We may modify or cancel this program at any time.