netflix
30
In Scope
9
Out of Scope
In-Scope Assets (30)
| Asset | Category | Bounty | Quick Links | |
|---|---|---|---|---|
| *.nflxext.com | WILDCARD | Yes | ||
| *.nflximg.net | WILDCARD | Yes | ||
| *.nflxso.net | WILDCARD | Yes | ||
| *.nflxvideo.net | WILDCARD | Yes | ||
| *.prod.cloud.netflix.com | WILDCARD | Yes | ||
| *.prod.dradis.netflix.com | WILDCARD | Yes | ||
| *.prod.ftl.netflix.com | WILDCARD | Yes | ||
| Affiliates or entities such as recently acquired companies | OTHER | No | - | |
| Content Authorization Targets | OTHER | Yes | - | |
| Content authorization vulnerabilities affecting only the in-browser player | OTHER | No | - | |
| Corporate Assets | OTHER | Yes | - | |
| Low impact, individually exposed Google Docs with no common root cause (see “Publicly accessible Google Document or Drive Links” in the “Corporate Targets” section) | OTHER | No | - | |
| Microsites | OTHER | Yes | - | |
| Netflix Gaming Target | OTHER | No | - | |
| Netflix Mobile Application for Android | ANDROID | Yes | - | |
| Netflix Mobile Application for iOS | IOS | Yes | - | |
| Open Source - Atlas | CODE | Yes | - | |
| Open Source - Spectator | OTHER | Yes | - | |
| Open Source - Zuul | OTHER | Yes | - | |
| Secondary Assets | OTHER | Yes | - | |
| api*.netflix.com | WILDCARD | Yes | ||
| beacon.netflix.com | URL | Yes | ||
| customerevents.netflix.com | URL | Yes | ||
| help.netflix.com | URL | Yes | ||
| ichnaea.netflix.com | URL | Yes | ||
| meechum.netflix.com | URL | Yes | ||
| nmtracking.netflix.com | URL | Yes | ||
| presentationtracking.netflix.com | URL | Yes | ||
| secure.netflix.com | URL | Yes | ||
| www.netflix.com | URL | Yes |
Out-of-Scope Assets (9)
| Asset | Category | Bounty | |
|---|---|---|---|
| Assets associated with ReadyPlayerMe | OTHER | No | |
| Open Source - Consoleme | OTHER | No | |
| Open Source - Dispatch | OTHER | No | |
| Open Source - Weep | OTHER | No | |
| Set-top-boxes, smart TVs, streaming sticks Out of Scope | OTHER | No | |
| Third party websites or systems hosted by non-Netflix entities Out of Scope | OTHER | No | |
| ir.netflix.com | URL | No | |
| ir.netflix.net | URL | No | |
| netflixinvestor.com | URL | No |
Scope Changes (108)
Feb 25, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Added | low impact, individually exposed google docs with no common root cause (see “publicly accessible google document or drive links” in the “corporate targets” section) | OTHER | Out of Scope | 19:19 |
| Added | affiliates or entities such as recently acquired companies | OTHER | In Scope | 19:19 |
| Added | microsites | OTHER | In Scope | 19:19 |
| Added | secure.netflix.com | URL | In Scope | 19:19 |
| Added | corporate assets | OTHER | In Scope | 19:19 |
| Added | open source - zuul | OTHER | In Scope | 19:19 |
| Added | *.nflxvideo.net | WILDCARD | In Scope | 19:19 |
| Added | *.prod.ftl.netflix.com | WILDCARD | In Scope | 19:19 |
| Added | open source - dispatch | OTHER | Out of Scope | 19:19 |
| Added | open source - weep | OTHER | Out of Scope | 19:19 |
| Added | netflix mobile application for android | ANDROID | In Scope | 19:19 |
| Added | netflix mobile application for ios | IOS | In Scope | 19:19 |
| Added | content authorization vulnerabilities affecting only the in-browser player | OTHER | Out of Scope | 19:19 |
| Added | content authorization targets | OTHER | In Scope | 19:19 |
| Added | assets associated with readyplayerme | OTHER | Out of Scope | 19:19 |
| Added | netflix gaming target | OTHER | Out of Scope | 19:19 |
| Added | ichnaea.netflix.com | URL | In Scope | 19:19 |
| Added | beacon.netflix.com | URL | In Scope | 19:19 |
| Added | *.prod.dradis.netflix.com | WILDCARD | In Scope | 19:19 |
| Added | *.prod.cloud.netflix.com | WILDCARD | In Scope | 19:19 |
| Added | help.netflix.com | URL | In Scope | 19:19 |
| Added | api*.netflix.com | WILDCARD | In Scope | 19:19 |
| Added | ir.netflix.com | URL | Out of Scope | 19:19 |
| Added | nmtracking.netflix.com | URL | In Scope | 19:19 |
| Added | presentationtracking.netflix.com | URL | In Scope | 19:19 |
| Added | *.nflximg.net | WILDCARD | In Scope | 19:19 |
| Added | open source - atlas | OTHER | In Scope | 19:19 |
| Added | *.nflxext.com | WILDCARD | In Scope | 19:19 |
| Added | third party websites or systems hosted by non-netflix entities out of scope | OTHER | Out of Scope | 19:19 |
| Added | netflixinvestor.com | URL | Out of Scope | 19:19 |
| Added | open source - spectator | OTHER | In Scope | 19:19 |
| Added | set-top-boxes, smart tvs, streaming sticks out of scope | OTHER | Out of Scope | 19:19 |
| Added | *.nflxso.net | WILDCARD | In Scope | 19:19 |
| Added | open source - consoleme | OTHER | Out of Scope | 19:19 |
| Added | ir.netflix.net | URL | Out of Scope | 19:19 |
| Added | www.netflix.com | URL | In Scope | 19:19 |
| Added | customerevents.netflix.com | URL | In Scope | 19:19 |
| Added | secondary assets | OTHER | In Scope | 19:19 |
| Added | meechum.netflix.com | URL | In Scope | 19:19 |
Feb 22, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Added | set-top-boxes, smart tvs, streaming sticks out of scope | OTHER | Out of Scope | 00:47 |
| Added | meechum.netflix.com | URL | In Scope | 00:47 |
| Added | *.nflxext.com | WILDCARD | In Scope | 00:47 |
| Added | open source - atlas | OTHER | In Scope | 00:47 |
| Added | corporate assets | OTHER | In Scope | 00:47 |
| Added | nmtracking.netflix.com | URL | In Scope | 00:47 |
| Added | *.prod.cloud.netflix.com | WILDCARD | In Scope | 00:47 |
| Added | *.nflxso.net | WILDCARD | In Scope | 00:47 |
| Added | ichnaea.netflix.com | URL | In Scope | 00:47 |
| Added | content authorization targets | OTHER | In Scope | 00:47 |
| Added | affiliates or entities such as recently acquired companies | OTHER | In Scope | 00:47 |
| Added | low impact, individually exposed google docs with no common root cause (see “publicly accessible google document or drive links” in the “corporate targets” section) | OTHER | Out of Scope | 00:47 |
| Added | open source - weep | OTHER | Out of Scope | 00:47 |
| Added | assets associated with readyplayerme | OTHER | Out of Scope | 00:47 |
| Added | open source - consoleme | OTHER | Out of Scope | 00:47 |
| Added | open source - dispatch | OTHER | Out of Scope | 00:47 |
| Added | netflixinvestor.com | URL | Out of Scope | 00:47 |
| Added | api*.netflix.com | WILDCARD | In Scope | 00:47 |
| Added | *.prod.dradis.netflix.com | WILDCARD | In Scope | 00:47 |
| Added | customerevents.netflix.com | URL | In Scope | 00:47 |
| Added | open source - zuul | OTHER | In Scope | 00:47 |
| Added | third party websites or systems hosted by non-netflix entities out of scope | OTHER | Out of Scope | 00:47 |
| Added | ir.netflix.net | URL | Out of Scope | 00:47 |
| Added | *.nflxvideo.net | WILDCARD | In Scope | 00:47 |
| Added | presentationtracking.netflix.com | URL | In Scope | 00:47 |
| Added | microsites | OTHER | In Scope | 00:47 |
| Added | open source - spectator | OTHER | In Scope | 00:47 |
| Added | netflix mobile application for android | ANDROID | In Scope | 00:47 |
| Added | ir.netflix.com | URL | Out of Scope | 00:47 |
| Added | www.netflix.com | URL | In Scope | 00:47 |
| Added | *.prod.ftl.netflix.com | WILDCARD | In Scope | 00:47 |
| Added | beacon.netflix.com | URL | In Scope | 00:47 |
| Added | secure.netflix.com | URL | In Scope | 00:47 |
| Added | *.nflximg.net | WILDCARD | In Scope | 00:47 |
| Added | help.netflix.com | URL | In Scope | 00:47 |
| Added | content authorization vulnerabilities affecting only the in-browser player | OTHER | Out of Scope | 00:47 |
| Added | netflix mobile application for ios | IOS | In Scope | 00:47 |
| Added | secondary assets | OTHER | In Scope | 00:47 |
| Added | netflix gaming target | OTHER | Out of Scope | 00:47 |
Feb 21, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Removed | *.nflxext.com | WILDCARD | In Scope | 21:39 |
| Removed | netflix mobile application for android | ANDROID | In Scope | 21:39 |
| Removed | netflix mobile application for ios | IOS | In Scope | 21:39 |
| Removed | meechum.netflix.com | URL | In Scope | 21:39 |
| Removed | content authorization targets | OTHER | In Scope | 21:39 |
| Removed | secondary assets | OTHER | In Scope | 21:39 |
| Removed | open source - spectator | OTHER | In Scope | 21:39 |
| Removed | microsites | OTHER | In Scope | 21:39 |
| Removed | open source - zuul | OTHER | In Scope | 21:39 |
| Removed | nmtracking.netflix.com | URL | In Scope | 21:39 |
| Removed | presentationtracking.netflix.com | URL | In Scope | 21:39 |
| Removed | ichnaea.netflix.com | URL | In Scope | 21:39 |
| Removed | help.netflix.com | URL | In Scope | 21:39 |
| Removed | *.nflxso.net | WILDCARD | In Scope | 21:39 |
| Removed | *.nflximg.net | WILDCARD | In Scope | 21:39 |
| Removed | secure.netflix.com | URL | In Scope | 21:39 |
| Removed | customerevents.netflix.com | URL | In Scope | 21:39 |
| Removed | beacon.netflix.com | URL | In Scope | 21:39 |
| Removed | *.prod.dradis.netflix.com | WILDCARD | In Scope | 21:39 |
| Removed | *.nflxvideo.net | WILDCARD | In Scope | 21:39 |
| Removed | corporate assets | OTHER | In Scope | 21:39 |
| Removed | open source - atlas | CODE | In Scope | 21:39 |
| Removed | *.prod.cloud.netflix.com | WILDCARD | In Scope | 21:39 |
| Removed | *.prod.ftl.netflix.com | WILDCARD | In Scope | 21:39 |
| Removed | api*.netflix.com | WILDCARD | In Scope | 21:39 |
| Removed | www.netflix.com | URL | In Scope | 21:39 |
| Added | content authorization vulnerabilities affecting only the in-browser player | OTHER | In Scope | 19:12 |
| Added | netflix gaming target | OTHER | In Scope | 19:12 |
| Added | low impact, individually exposed google docs with no common root cause (see “publicly accessible google document or drive links” in the “corporate targets” section) | OTHER | In Scope | 19:12 |
| Added | affiliates or entities such as recently acquired companies | OTHER | In Scope | 19:12 |