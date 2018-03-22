Rewards start from $100 and go up from there

STREAMING GIANT NETFLIX has opened a public bug bounty program to encourage white hat cybersecurity types to seek out vulnerabilities in the company's software.

Launched through the Bugcrowd platform, the new program will offer anything from $100 to a wallet-filling $15,000, providing the bugs are verified by the company and meet its guidelines for reporting.

The guidelines are fairly stringent and require bug hunters to make sure they don't access any customer or employee personal information while chasing down vulnerabilities and to only collect information necessary to the disclosure of any flaws.

But in return for following the guidelines, Netflix will look to confirm the bug reports within seven days and recognise any white hat or hobby hackers' work in its Security Researcher Hall of Fame; that all seems fair to us.

Netflix started a form of bug bounty program back in 2013 with a responsible vulnerability disclosure program, which it then expanded into a private full-fat bug bounty program in 2016, which has been expanding since then.

It kept the bug bounty program private for a while, with it initially only involving 100 of the top cyber security researchers on Bugcrowd. But by making its bug bounty public, it marks an expansion of its vulnerability spotting and squashing efforts.

Keeping the bug bounty private to begin with appears to have been an effort on Netflix's part to ensure the program was efficient and effective.

"In preparation for our public launch, we have increased our scope dramatically over the last year and have now invited over 700 researchers. We have attempted to fine tune things like triage quality, response time and researcher interactions to build a quality program that researchers like to participate in," the company said.

Responsible and sensible bug reporting it a key part of the cyber security reporting, as revealing a bug too early or without giving enough detail can see a company or individual get rather large amounts of shade from the tech world; just look at CTS-Labs' report of AMD processor vulnerabilities as an example of bug reporting crashing head first into controversy. µ