Responsible Vulnerability Disclosure

This policy was last updated on 01/03/14.

Responsible Disclosure Policy

The information on this page is intended for security researchers interested in reporting security vulnerabilities to the Netflix security team. If you are a Netflix member and have questions concerning fraud or malware, please see the following support pages:

If you are a customer seeking information on your account, billing, or site content, please reach out to customer support via phone or live chat.

If you believe you've discovered a security vulnerability on a Netflix property or application, we strongly encourage you to inform us as quickly as possible and to not disclose the vulnerability publicly until it is fixed. We appreciate your assistance, and we review all reports and will do our best to address the issue in a timely fashion. To encourage responsible disclosure, Netflix will not bring a lawsuit against you or ask law enforcement to investigate you if we determine that a disclosure meets the following guidelines.

Responsible Disclosure Guidelines

  • Notify Netflix and provide us details of the vulnerability. Please provide us a reasonable time period to address the issue before public disclosure.
  • Provide an appropriate level of detail on the vulnerability to allow us to identify and reproduce the issue. Detail should include target URLs, request/response pairs, screenshots, and/or other information.
  • We will confirm your email and evaluate the validity and reproducibility of the issue. For valid issues, we will work to fix the issue and keep you appraised of progress.
  • Make a reasonable effort to avoid service disruption (e.g. DoS), privacy issues (i.e. accessing a Netflix customer’s data), and data destruction when performing vulnerability research.
  • Do not request compensation for security vulnerability reports either from Netflix or external vulnerability marketplaces.
  • Do not phish or social engineer employees or customers of Netflix.
  • Do not run automated scanning tools and send us the output without confirming the issue is present. Security tools often output false positives that should be confirmed by the reporter.

Vulnerability Categories We Encourage

We are primarily interested in hearing about the following vulnerability categories:

  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • SQL Injection (SQLi)
  • Authentication related issues
  • Authorization related issues
  • Data Exposure
  • Redirection Attacks
  • Remote Code Execution
  • Particularly clever vulnerabilities or unique issues that do not fall into explicit categories

Out of Scope Vulnerability Categories

The following vulnerability categories are considered out of scope of our responsible disclosure program and will not be eligible for credit on our researcher list.

  • SSL vulnerabilities related to configuration or version
  • Denial of Service (DoS)
  • User enumeration
  • Brute forcing
  • Secure flag not set on non-sensitive cookies
  • HTTPOnly flag not set on non-sensitive cookies
  • Logout Cross Site Request Forgery (CSRF)
  • Issues only present in old browsers/old plugins/end-of-life software browsers
  • HTTP TRACE method enabled
  • Vulnerability reports related to the reported version numbers of web servers, services, or frameworks
  • Clickjacking on pages without authentication and/or sensitive state changes
  • Vulnerability reports that require a large amount of user cooperation to perform unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g. disabling browser security features, sending the attacker critical information to complete the attack, guiding the user through a particular flow and requiring them to enter malicious code themselves, etc.)

How to Report a Security Vulnerability

Please email security-report@netflix.com to report security vulnerabilities to Netflix. If you feel the email should be encrypted, our PGP key is available below.

PGP Key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)

mQENBFCZbtMBCADSyYtdfzh59XyJ70x4152uc3MjYymsGic//e8bjoIIMm9bAJxf
1uXWJMZ+ccvGv8TXq3PRkjXTOD4Kdkp0RsITfvXsuQwfrCWsM3QHK/F07mXUtdEe
EvIkfNVUiQUftBhE18OcXjjSiLWjVcycAAui1iOtQqhbFoP+XBR55+kpmiEbAbjH
VC1dJCLHvCWjVfLq9VRGy3U6v/bUyK6CsdOr0tTYayKuHibG3KIvnrdA6p5C7yEV
Pj+s73VifgeU/VAag0hKDJWNFmTbiHBt2ShiB+D44fRV43rJVbqGJAYR+JZY0Wjj
739aqxyEiq5jTHcB3Z/eaP387E/lQeGcMlSZABEBAAG0fXNlY3VyaXR5LXJlcG9y
dEBuZXRmbGl4LmNvbSAoQWRkcmVzcyBmb3IgcmVwb3J0aW5nIHNlY3VyaXR5IGlz
c3VlcyB0byBOZXRmbGl4J3Mgc2VjdXJpdHkgdGVhbS4pIDxzZWN1cml0eS1yZXBv
cnRAbmV0ZmxpeC5jb20+iQE/BBMBAgApBQJQmW7TAhsDBQkFo5qABwsJCAcDAgEG
FQgCCQoLBBYCAwECHgECF4AACgkQQJcn4bCeTnz2CAf+Pji76rupkyQ9qaQfwuEw
NWB/8+h6W+NM3YTz4spDYWUgfbWO7noF5FtxWv/xgqOS7C0XtFKnNZQaXCczu1q3
5bEUt6X/1cXBPCMwBI0EMzMCQu+eZiMBAXufbEt4iU/Co9IWs5ZnGHYBWgQ9aQVp
cUQNUA1hB3FYFEtpWwO0VQ93B+EOnnkYXEKZC8oyoY/Y2lzoahmlu3kicAlR91tR
lls1MtTvPlRF6R+tQOSN+K2zx7TAbvZ+PdD9HAiRpcEIRVLYmXyvwOL82SjTmxGc
dHEWoo9yqTg2OT2RM3B0I7IoBhFzGUnW4LyVg4qlqJDUmlPncxF4ZOMtSVinF07I
PrkBDQRQmW7TAQgAtm3mxK0oKkBqayGNctFVDBmu1Q2D/UVJpOLO+mlrgk403a2W
38u7RofW+edNsKFzJdeyYnxyMZzrtZT088J1/FmwErd8M209J4PrxtMiJcnVybda
vSAgeJ/v01omS+4mx7O1D+sM1n6BguhsYW85bMe3N9E0Q5ue0CruwIGEyXx48+Om
fr8mNk9hCh2LlvHFoSjoaXfUEASGrgc4TFy8drqVMgZUU+UBshVL4nxe6pyxOf3Z
yR3PIyCMGOwn9Hpf4l+CSz2sUcCGAHa9tGSgGKP1Zr2UXsB1GK9wTlenTLS8FKPi
se7uB6INJqflaDFGpDEERAtQrbg5mZFZdsUxmQARAQABiQElBBgBAgAPBQJQmW7T
AhsMBQkFo5qAAAoJEECXJ+Gwnk58scMH/RwNzcqf2y9473GWDbTsEIV+BqvY4HuE
5TIPsWtuXSF5ePrxxHaNYgSV5gt/QaSzDf08vJRBuGawUaucfWJCTWRUXmOBrPdz
G4HCnti/+Uls3ye5Pe5xf6WJ6HgmfGahhbDTO4msuzFkYqMtUk0hXptuK+nACpb2
vfDA7MDI/edTdJ/UyxJ9PeMloZNuRFB1OIpEsaBqGeu0UclrITC81JqCqxNr2Qoa
q5X0J+8/UlRXW+b9sI/Swy9KKr+9AmJe2gzkyWLQpeMJqdQ8bcToNXeGXLSqYsrI
6mxJUiK68D4XwDzFaTUmSxBNZcbhP4z8zdW/e64JtzK0Hht98c0MSAg=
=1lZS
-----END PGP PUBLIC KEY BLOCK-----

Participating Security Researchers - 2015

Netflix would like to thank the following researchers for participating in our responsible disclosure program.

  • Fredrik Nordberg Almroth (@almroot)
  • Jonathan Conerly
  • Ali Hassan Ghori (@alihasanghauri)
  • Behrouz Sadeghipour and Patrik Fehrenbach (@NahamSec)
  • Stephen Tomkinson (@neonbunny9)
  • David Dworken (@ddworken)
  • White Rabbitz (GER)
  • Christopher Presley (@The_Beard_Lives)
  • @insaneasusual
  • Mo'men Basel (@MomenBassel)
  • jamm0 (@jamm0us)
  • MentaL (@ragezone)

Participating Security Researchers - 2014

Netflix would like to thank the following researchers for participating in our responsible disclosure program.

  • Ali Hassan Ghori (@alihasanghauri)
  • Cameron Crowley (@crowley_cam)
  • S.Venkatesh (@PranavVenkatS)
  • Rodolfo Godalle, Jr. (@rodgodalle)
  • Garrett Calpouzos (@GCalps)
  • Guillermo Gabarrín (@ggabarrin9)
  • Kamil Sevi (@kamilsevi)
  • Waqeeh Ul Hasan (@dowaqeeh)
  • Jared Perry (@jared_perry)
  • Robert Williamson (@bobbyman3)
  • Burak Bakir (@pr3d1c7)
  • Andrew Neculaesei (@neculaesei)
  • Ketan Sirigiri (@Cigniti)
  • Gineesh George (@g1n1_influenza)
  • Dan Singerman (@dansingerman)
  • Kenneth F. Belva (@infosecmaverick)
  • Akbar Qureshi (@_AkbarQ)
  • Web Plus
  • Ch. Muhammad Osama (@ChMuhammadOsama)
  • Nitin Goplani (@nitingoplani88)
  • Marcin Piosek (@piochu)
  • Abderrazak YS. (@Y33OULS)
  • Han Lee (@_hanlee)
  • Caleb Watt (@calebwatt15)
  • Krishna Chaitanya Kadaba (@cigniti)
  • Gustavo de Oliveira (@highustavo)
  • Sergio Galán (@NaxoneZ)
  • Rafael Pablos
  • kminthant (@psxchotic)
  • Louis Nadeau (@cybpoulet)
  • Kyle Davidson (@X942_Dev)
  • Robert Verderame (@robertverderame)
  • Olivier Beg (@smiegles)
  • Tim Jenson (@timFGO)
  • Robert Daniel (@_drxp)
  • Danish Tariq
  • Justin Kennedy (@jstnkndy)
  • Christopher Presley (@The_Beard_Lives)
  • Malte Batram (@_batram)
  • David Middlehurst (@dtmsecurity)
  • Francisco Correa (@panchocosil)
  • Mohamed Abdelbaset Elnoby (@SymbianSyMoh)
  • Jack (@linkcabin)
  • David Vieira-Kurz (@secalert)

Participating Security Researchers - 2013

Netflix would like to thank the following researchers for participating in our responsible disclosure program.

  • Paul Scott
  • Jack W (@fin1te)
  • Murat Suljovic
  • Rakan Alotaibi (@hxteam)
  • Reginaldo Silva (@reginaldojsf)
  • Rafay Baloch (@rafaybaloch)
  • Kamil Sevi (@kamilsevi)
  • Chiragh Dewan (@ChiraghDewan)
  • Frans Rosén
  • Sabari Selvan (@EHackerNews)
  • Adam Ziaja (@adamziaja)
  • Yuji Kosuga (@yujikosuga)
  • Emanuel Bronshtein (@e3amn2l)
  • Siddhesh Gawde
  • Malte Batram (@_batram)
  • Ahmad Ashraff (@yappare)
  • Camilo Galdos Aka Dedalo (@SeguridadBlanca)
  • Sergiu Dragos Bogdan
  • Aditya K. Sood (@AdityaKSood)
  • Mohankumar Vengatachalam (@vimokumar)
  • Johnathan Kuskos (@johnathankuskos)
  • Evgueni Erchov (@EErchov)
  • Dylan S. Hailey (@TibitXimer)
  • Rajat Bhargava
  • Ehraz Ahmed (@securityexe)
  • Abhinav Karnawat (w4rri0r)
  • Ajay Singh Negi (@AjaySinghNegi)
  • Peter Jaric (@peterjaric)
  • David Hoyt (@cloudscan)
  • Tarek Siddiki
  • Devesh Bhatt (@deveshbhatt11)
  • Defencely @Defencely
  • Matt Ashburn @mattashburn
  • Yaroslav Olejnik - O.J.A. (@oja_c7s)
  • Rupesh Reddy ( _hck3r )
  • Stewart Anderson (@StewieMAnderson)
  • Florindarck (@QuisterTow)
  • Ali Hassan Ghori (@alihasanghauri)
  • Muhammad Shahmeer (@Shahmeer_Amir)
Wait time: less than 1 minute