Netflix Bug Bounty Entices Security Researchers With $15,000 Payout


Forget about 'Netflix and chill', how about 'Netflix and make some money!'? Sure, the latter isn't likely to trend as a popular catchphrase, and it's not a euphemism for cuddling on the couch (or bed) and getting intimate. However, it is a possibility now that Netflix is opening up its bug bounty program to the public. Rewards for uncovering vulnerabilities vary by the severity, with the highest payout so far being $15,000.

The bug bounty program is not new—Netflix has been paying select researchers to uncover security issues since September 2016. Prior to that, Netflix had in place a vulnerability disclosure program dating back to 2013 that allowed researchers to report bugs to the company, there just wasn't a financial incentive attached.

"Since the launch of our private bug bounty program, we have received 145 valid submissions (out of 275 total) of various criticality levels across the Netflix services. These submissions have helped us improve our external security posture and identify systemic security improvements across our ecosystem. We have also made efforts to stay engaged with our researchers via events such as a Defcon Meet and Greet and a recent bug bash," Netflix said.

By opening up the program to the public, Netflix joins a growing list of companies that are wiling to pay individuals and teams of researchers of any background for discovering vulnerabilities. Companies such as Apple, Facebook, Google, and Microsoft all have public bug bounty programs in place as well, to name just a few. In fact, Microsoft just recently expanded its bug bounty program to include Spectre-like flaws, for which it is willing to pay up to $250,000 per qualifying bug.

Netflix's maximum payout amount of $15,000 is much smaller, though comparing the streaming service to a major operating system is really apples and oranges. Over the past three months, payouts have averaged a little over $1,086. Netflix's goal is to respond to bug reports within a week, and on average it responds within 2.7 days.