Netflix
World's leading streaming entertainment service with 260M+ subscribers watching TV shows, movies, and documentaries.
https://netflix.comMax Reward
$20,000
Total Paid
$3,800,000
Resolved
398
Avg Response
3 days
In-Scope Assets
netflix.com
Streaming platform, profiles, and playback
Netflix API
Authentication and content delivery APIs
Netflix Apps
Smart TV, mobile, and desktop applications
Netflix Games
Mobile gaming platform
Out of Scope
- ✕ Content licensing disputes
- ✕ Third-party device firmware
- ✕ Open Connect CDN hardware
Severity Levels & Rewards
RCE, authentication bypass, privilege escalation, fund extraction
Stored XSS, CSRF with impact, API abuse, data manipulation
Reflected XSS, data leakage, logic flaws, information disclosure
Verbose errors, minor config issues, low-impact info disclosure
Active Bounties (2)
| ID | Title | Severity | Status | Reward | Submissions |
|---|---|---|---|---|---|
| NFLX-001 | DRM bypass via modified playback API request headers | Critical | In Review | $10,000–$20,000 | 1 |
| NFLX-002 | Account sharing detection bypass via cookie manipulation | Medium | Open | $2,000–$5,000 | 0 |
Rules of Engagement
• Do not access, modify, or delete data belonging to other users.
• Do not perform denial-of-service attacks or automated scanning at high volume.
• Report vulnerabilities promptly and provide sufficient detail to reproduce.
• Allow reasonable time for fix before public disclosure (90 days).
• Safe harbor: We will not pursue legal action against researchers acting in good faith within these rules.