)

Plex Bug Bounty Policy

Plex and its employees take security very seriously. To make our products as secure as they can be, we invite anyone that finds a potential security risk or data leak to disclose it in a responsible way to the Plex Security Team. We ask everyone that finds an issue to follow the guidelines below:

Only access or expose your own data.
If you happen to access or expose other data, report it to us as soon as possible. Do not attempt any further exploits at this point.
Avoid tools or techniques that can degrade the service for other customers.
Don’t disclose vulnerabilities to anyone but Plex.

)

What We Are Looking For

While we take every submission seriously, a lot of submissions are trivial and have very little effect on the security of Plex and our customers. Below we list things that we are specifically interested in:

Remote code execution in any of our client applications or in our cloud infrastructure
Privilege escalation attacks against our cloud infrastructure
Authentication attacks
Cross-site scripting (XSS)
Cross-site request forgery (CSRF/XSRF)

Examples of non-qualifying submissions:

Denial of Service vulnerabilities (DoS)
Possibilities to send malicious links to people you know
Security bugs in third-party sites and software that integrate with Plex (this includes WordPress issues, unless related to account creation/authentication or subscription purchasing)
Insecure cookie handling
Spam or social engineering techniques
Circumvention of 4-digit PIN codes for account switching (PIN codes are not considered true security measures)

)

Reproducibility

In order to qualify for any kind of reward, our engineers have to be able to reproduce the problem. So, please be explicit in your report, since this will save everyone’s time.

)

Rewards

We are very grateful to anyone that can report an exploit or vulnerability according to the guidelines above and help us secure our customers’ data. This is a discretionary policy and Plex reserves the right to cancel or modify the policy at any point.

We are only rewarding people that find unknown vulnerabilities; anything that is already known (either by internal auditing or external reports) will not qualify for a reward.

We will not be able to pay anything to security researchers that reside in sanctioned countries. A current list can be found on [https://www.treasury.gov/resource-center/sanctions/Programs/Pages/Programs.aspx](this US Treasury Department page).

All qualifying reports are offered a reward based upon the level of severity regarding the report. The decided upon reward will be one or more of the following: a lifetime Plex Pass, monetary compensation, or other. Any monetary rewards are paid via PayPal only.

)

How to Submit Your Report

Please use the information here to report a potential security issue to Plex:

Write to our Security team at mailto:[email protected]. If you’d like to encrypt your email, please use our [https://plex-security.s3.amazonaws.com/plex-security-public-key.asc](public PGP key).
Be sure to include relevant details in the report, such as platform, app/server version, necessary conditions for the exploit to work, a description with proof of concept or exploit code, the impact of the issue if exploited, etc.
Do not contact individual Plex employee directly.
Report only one vulnerability per email.
Only submissions to this email address directly will be eligible for rewards.

If we have any questions related to the report, we’ll be sure to let you know. Thanks for helping us make Plex more secure for everyone!

[https://plex-security.s3.amazonaws.com/plex-security-public-key.asc](Get our public PGP key)

plex.tv

plex.tv

Details

Plex Bug Bounty Policy

What We Are Looking For

Reproducibility

Rewards

How to Submit Your Report

Plex Bug Bounty Policy

What We Are Looking For

Reproducibility

Rewards

How to Submit Your Report