Netflix today announced it is opening a bug bounty program to the public, allowing anyone who finds a bug or critical issue to provide details on that issue and possibly receive a financial reward – often dictated by the severity of the issue – in return. This sees Netflix added to a growing list of tech companies (including Google and Samsung) who have turned to the public pool of researchers as an additional means to improve the functionality and the security of their products.
Although the public side of the bug bounty is a new thing, Netflix has explained a private version of the bounty program has been in effect since September, 2016. The streaming service confirmed as part of that private launch 275 issues had been submitted, with 145 of them deemed as “valid” issues that varied in their level of importance. The company also explained that the private launch has in-part being used as a testing platform for this public launch with the number of researchers involved gradually increasing from the initial 100 up to around 700 at the last count. Something which is likely to now increase significantly with the opening of the platform to the public.
As for the reward tiers, Netflix has not gone into specifics on this point other than stating that at present $15,000 is the highest reward payout to date for the program – with this equating to what the company defined as “a critical vulnerability.” Therefore, it should be expected rewards on offer will decrease accordingly in line with the decreased severity of the issue. In either case, Netflix states that the framework that is now in place means the whole bug bounty process has been streamlined to be as efficient as possible with the company’s engineers able to evaluate and award rewards with autonomy. Something the company says helps as an additional motivator for researchers to take part in the program in the first place. If a financial reward is not enough on its own, Netflix also stated that if a change is made based on a reported issue, the first researcher to report the issue is added to its publicly visible “Security Researcher Hall of Fame.”