Netflix announced in a Medium post today that it is opening a public bug bounty program on the Bugcrowd bug bounty platform.
The roots of the company’s bug hunting concept go back to 2013 when Netflix launched what it called a,”responsible vulnerability disclosure program.” The idea continued to develop over the years and they launched a private bug bounty program on Bugcrowd in 2016. They started small with 100 researchers and today at the launch of the public program they have increased that number to 700, according to the blog post.
They report since inception they have been able to solve 145 issues, paying out a variety of bounties with the highest being $15,000. “We have attempted to fine tune things like triage quality, response time and researcher interactions to build a quality program that researchers like to participate in,” the company wrote in the blog post announcing the program.
Netflix is far from alone in running these kinds of programs. Many big organizations like Facebook, Google and many others use bug bounty programs to pay researchers to find security holes on their platforms before black-hat hackers do. The idea is to provide financial incentive to find the bugs, rather than going in and exploiting the vulnerability for personal gain.
There is generally a leader board, so in addition to financial remuneration, the researcher also gets bragging rights and public acclaim for tracking down bugs. And it’s not just traditional tech companies running these programs. General Motors has one running on the HackerOne platform and MasterCard has one on Bugcrowd.
Bugcrowd and other bug bounty platforms like HackerOne provide a way to administer the program, providing a way to recruit researchers, then letting them know which vulnerabilities they are looking for and how much they are willing to pay. To give you a sense of how lucrative these programs can be to hackers, Google released a report last month indicating it paid out almost $3 million in bounties last year with rewards ranging from $500 to $100,000.
Netflix is hoping to attract people who can similarly help them track bugs and keep their systems secure. A bug bounty program is a proven way to achieve that.