BugHunters — Bug Bounty Platform
    Back to Programs
    Netflix

    Netflix

    Streaming

    World's leading streaming entertainment service with 260M+ subscribers watching TV shows, movies, and documentaries.

    https://netflix.com

    Max Reward

    $20,000

    Total Paid

    $3,800,000

    Resolved

    398

    Avg Response

    3 days

    In-Scope Assets

    netflix.com

    Streaming platform, profiles, and playback

    Netflix API

    Authentication and content delivery APIs

    Netflix Apps

    Smart TV, mobile, and desktop applications

    Netflix Games

    Mobile gaming platform

    Out of Scope

    • Content licensing disputes
    • Third-party device firmware
    • Open Connect CDN hardware

    Severity Levels & Rewards

    Critical

    RCE, authentication bypass, privilege escalation, fund extraction

    High

    Stored XSS, CSRF with impact, API abuse, data manipulation

    Medium

    Reflected XSS, data leakage, logic flaws, information disclosure

    Low

    Verbose errors, minor config issues, low-impact info disclosure

    Active Bounties (2)

    IDTitleSeverityStatusRewardSubmissions
    NFLX-001DRM bypass via modified playback API request headers
    Critical
    In Review
    		$10,000–$20,0001
    NFLX-002Account sharing detection bypass via cookie manipulation
    Medium
    Open
    		$2,000–$5,0000

    Rules of Engagement

    • Do not access, modify, or delete data belonging to other users.

    • Do not perform denial-of-service attacks or automated scanning at high volume.

    • Report vulnerabilities promptly and provide sufficient detail to reproduce.

    • Allow reasonable time for fix before public disclosure (90 days).

    • Safe harbor: We will not pursue legal action against researchers acting in good faith within these rules.