Connect with us

Hi, what are you looking for?



Netflix Paid Out Over $1 Million via Bug Bounty Program

Netflix has paid out more than $1 million for vulnerabilities found in its products since the launch of its bug bounty program in 2016.


Netflix has paid out more than $1 million for vulnerabilities found in its systems and products since the launch of its bug bounty program in 2016.

The streaming giant said on Tuesday that more than 5,600 researchers have contributed to its program and submitted nearly 8,000 unique vulnerability reports. Rewards were paid out for 845 vulnerabilities, more than a quarter of which were rated ‘critical severity’ or ‘high severity’.

When it launched its public bug bounty program in 2018, Netflix used Bugcrowd to host and manage the initiative. The company now announced that its program has been moved to the HackerOne platform.

With this move, Netflix is promising enhanced triage, increased bounty ranges, an expanded scope, exclusive private programs, and researcher feedback loops.

Content authorization issues, which include subverting content authorization and obtaining private keys, can earn researchers between $300 and $5,000. 

Critical vulnerabilities impacting can earn bug bounty hunters up to $20,000, while flaws related to corporate assets can earn researchers up to $10,000. The mobile applications are also covered by the bug bounty program.

A researcher recently demonstrated that vulnerabilities in Microsoft’s PlayReady content access and protection technology can be exploited to illegally download movies from popular streaming services, including from Netflix.

The streaming service did not respond to SecurityWeek’s request for comment when the research came to light. 

Advertisement. Scroll to continue reading.

It’s unclear whether the PlayReady attack would qualify for Netflix’s bug bounty program, but the researcher who discovered the PlayReady vulnerabilities, Adam Gowdiak of Poland-based AG Security Research, suggested that — given its widespread impact and the effort put into it — his research is worth much more than what Microsoft and the other impacted companies are willing to offer through their bug bounty programs.

Related: Fake Netflix App Luring Android Users to Malware

Related: Zoom Paid Out $10 Million via Bug Bounty Program Since 2019

Related: Adobe Adds Content Credentials and Firefly to Bug Bounty Program

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Gabriel Agboruche has been named Executive Director of OT and Cybersecurity at Jacobs.

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

More People On The Move

Expert Insights