Netflix has paid out more than $1 million for vulnerabilities found in its systems and products since the launch of its bug bounty program in 2016.
The streaming giant said on Tuesday that more than 5,600 researchers have contributed to its program and submitted nearly 8,000 unique vulnerability reports. Rewards were paid out for 845 vulnerabilities, more than a quarter of which were rated ‘critical severity’ or ‘high severity’.
When it launched its public bug bounty program in 2018, Netflix used Bugcrowd to host and manage the initiative. The company now announced that its program has been moved to the HackerOne platform.
With this move, Netflix is promising enhanced triage, increased bounty ranges, an expanded scope, exclusive private programs, and researcher feedback loops.
Content authorization issues, which include subverting content authorization and obtaining private keys, can earn researchers between $300 and $5,000.
Critical vulnerabilities impacting Netflix.com can earn bug bounty hunters up to $20,000, while flaws related to corporate assets can earn researchers up to $10,000. The mobile applications are also covered by the bug bounty program.
A researcher recently demonstrated that vulnerabilities in Microsoft’s PlayReady content access and protection technology can be exploited to illegally download movies from popular streaming services, including from Netflix.
The streaming service did not respond to SecurityWeek’s request for comment when the research came to light.
It’s unclear whether the PlayReady attack would qualify for Netflix’s bug bounty program, but the researcher who discovered the PlayReady vulnerabilities, Adam Gowdiak of Poland-based AG Security Research, suggested that — given its widespread impact and the effort put into it — his research is worth much more than what Microsoft and the other impacted companies are willing to offer through their bug bounty programs.
Related: Fake Netflix App Luring Android Users to Malware
Related: Zoom Paid Out $10 Million via Bug Bounty Program Since 2019
Related: Adobe Adds Content Credentials and Firefly to Bug Bounty Program
