Netflix has launched a public bug bounty program through which security researchers can receive rewards of up to $15,000.
Announced on 21 March, the streaming service’s new vulnerability responsible disclosure framework will award researchers upwards of thousands of dollars for reporting weaknesses discovered in Netflix’s primary targets. In-scope applications include the American entertainment company’s API, its top level domain (www.netflix.com) and its Android and iOS apps.
P1-rated flaws, which include vulnerabilities like SQL injection, broken cryptography and sensitive data exposure, can net participants as much as $15,000. Reports on less-severe bugs that affect either primary or secondary targets, public Netflix web applications that exist outside of the Netflix browser experience, will earn researchers somewhere between $100 and $3000.
Not everything is in scope, however. The streaming service will not give out bounties for flaws discovered in third-party websites that depend on non-Netflix entities for hosting. Nor will it issue monies for vulnerabilities uncovered in jobs.netflix.com, media.netflix.com, ir.netflix.com or device client applications for the company.
Researchers must also meet certain guidelines when reporting a bug. For instance, they must not disrupt production systems or destroy data during their security testing. They must also immediately stop testing if they come across any non-public credentials or applications.
This is the first time Netflix has gone public with a bug bounty framework, but it’s not its first foray into vulnerability responsible disclosure. It launched its first program in 2013 followed by a private scheme three years later. Across those two initiatives, Netflix has received 190 valid issues and 145 eligible submissions to date.
Casey Ellis, founder and chief technology officer of Bugcrowd, told ThreatPost he’s thrilled that Netflix is taking its vulnerability disclosure focus to the next level with a public program hosted on the (Read more...)
This is a Security Bloggers Network syndicated blog post authored by David Bisson. Read the original post at: The State of Security