SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Netflix Paid Out Over $1 Million via Bug Bounty Program

Netflix has paid out more than $1 million for vulnerabilities found in its products since the launch of its bug bounty program in 2016.
Streaming platform DRM hacking

Netflix has paid out more than $1 million for vulnerabilities found in its systems and products since the launch of its bug bounty program in 2016.

The streaming giant said on Tuesday that more than 5,600 researchers have contributed to its program and submitted nearly 8,000 unique vulnerability reports. Rewards were paid out for 845 vulnerabilities, more than a quarter of which were rated ‘critical severity’ or ‘high severity’.

When it launched its public bug bounty program in 2018, Netflix used Bugcrowd to host and manage the initiative. The company now announced that its program has been moved to the HackerOne platform.

With this move, Netflix is promising enhanced triage, increased bounty ranges, an expanded scope, exclusive private programs, and researcher feedback loops.

Content authorization issues, which include subverting content authorization and obtaining private keys, can earn researchers between $300 and $5,000. 

Critical vulnerabilities impacting Netflix.com can earn bug bounty hunters up to $20,000, while flaws related to corporate assets can earn researchers up to $10,000. The mobile applications are also covered by the bug bounty program.

Advertisement. Scroll to continue reading.

A researcher recently demonstrated that vulnerabilities in Microsoft’s PlayReady content access and protection technology can be exploited to illegally download movies from popular streaming services, including from Netflix.

The streaming service did not respond to SecurityWeek’s request for comment when the research came to light. 

It’s unclear whether the PlayReady attack would qualify for Netflix’s bug bounty program, but the researcher who discovered the PlayReady vulnerabilities, Adam Gowdiak of Poland-based AG Security Research, suggested that — given its widespread impact and the effort put into it — his research is worth much more than what Microsoft and the other impacted companies are willing to offer through their bug bounty programs.

Related: Fake Netflix App Luring Android Users to Malware

Related: Zoom Paid Out $10 Million via Bug Bounty Program Since 2019

Related: Adobe Adds Content Credentials and Firefly to Bug Bounty Program

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: A Step-by-Step Approach to AI Governance
April 28, 2026

With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment.

Register

Virtual Event: Threat Detection and Incident Response Summit
May 20, 2026

Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization.

Register

People on the Move

AutoNation has appointed Brian Fricke as Chief Information Security Officer.

Varun Kohli has joined GetReal Security as Chief Marketing Officer.

MongoDB has appointed Doug Bowers as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.