March 22, 2018
Amid the public’s growing concerns about web security and data vulnerability, Netflix March 22 announced it has made public its security program, called the bug bounty program.
“We are now publicly launching our bug bounty program through the Bugcrowd platform to continue improving the security of our products and services while strengthening our relationship with the community,” reads the company blog.
The company started its “responsible vulnerability disclosure” program in 2013 to provide an avenue for researchers to report security issues. It has received and remediated 190 valid issues from this program, according to the blog.
“Once we felt comfortable with our processes around handling external reports efficiently, we dipped our toe in the bug bounty space with a private program launch in September 2016,” the blog reads. “Over the past 18 months, we have gradually increased the scope as well as the number of researchers in the program.”
The company started the program with 100 of Bugcrowd’s top researchers, and in preparation for the public launch, increased the scope over the last year to more than 700 researchers, according to the blog.
“Since the launch of our private bug bounty program, we have received 145 valid submissions (out of 275 total) of various criticality levels across the Netflix services,” the blog reads. “These submissions have helped us improve our external security posture and identify systemic security improvements across our ecosystem.”
Researchers are rewarded for finding bugs, with the highest payout so far $15,000, according to the blog.
“Engineers at Netflix have a high degree of ownership for the security of their products and this helps us address reports quickly,” the blog reads.