I still remember interviewing Jimmy Sanders of Netflix DVD at SecureWorld Bay Area, where he's on the Advisory Council.
I got the impression that the company's culture is about doing what makes sense for the business—and that includes InfoSec.
"We're always trying to question our old paradigms of security. We're just continuously trying to improve what we do," he said.
And one of those things, apparently, is rolling out the red carpet for security researchers, by empowering employees.
"Engineers at Netflix have a high degree of ownership for the security of their products, and this helps us address reports quickly. Our security engineers also have the autonomy and freedom to make reward decisions quickly based on the reward matrix and bug severity," the company says.
Netflix launching public bug bounty program
After starting with a small in-house vulnerability disclosure program in 2013, the company transitioned to a small-scale, invite-only bug bounty program in 2016. At that time, Netflix invited 100 of Bugcrowd's top researchers to participate.
Over the last year, the company says, it has increased that number to 700 researchers to prepare for the launch of its public bug bounty program this week.
Ways Netflix is rolling out the red carpet for researchers
The company says researchers can expect the following:
- Response to a submission within seven days
- Payouts of up to $15,000 for submissions that lead to code changes
- Engineers empowered to make reward decisions quickly
- Special meet and greets or bug bash events
- Listing on the security researcher "Hall of Fame"
Even with the limited scope of the company's early vulnerability program, Netflix says it was able to make a few hundred security improvements.
It will be interesting to see what that number looks like a year from now after the launch of its public bug bounty program.
