Plex Bug Bounty Policy
Plex and its employees take security very seriously. To make our products as secure as they can be, we invite anyone that finds a potential security risk or data leak to disclose it in a responsible way to the Plex Security Team. We ask everyone that finds an issue to follow the guidelines below:
- Only access or expose your own data.
- If you happen to access or expose other data, report it to us as soon as possible. Do not attempt any further exploits at this point.
- Avoid tools or techniques that can degrade the service for other customers.
- Don’t disclose vulnerabilities to anyone but Plex.
What We Are Looking For
While we take every submission seriously, a lot of submissions are trivial and have very little effect on the security of Plex and our customers. Below we list things that we are specifically interested in:
- Remote code execution in any of our client applications or in our cloud infrastructure
- Privilege escalation attacks against our cloud infrastructure
- Authentication attacks
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF/XSRF)
Examples of non-qualifying submissions:
- Denial of Service vulnerabilities (DoS)
- Possibilities to send malicious links to people you know
- Security bugs in third-party sites and software that integrate with Plex (this includes WordPress issues, unless related to account creation/authentication or subscription purchasing)
- Insecure cookie handling
- Spam or social engineering techniques
- Circumvention of 4-digit PIN codes for account switching (PIN codes are not considered true security measures)
In order to qualify for any kind of reward, our engineers have to be able to reproduce the problem. So, please be explicit in your report, since this will save everyone’s time.
We are very grateful to anyone that can report an exploit or vulnerability according to the guidelines above and help us secure our customers’ data. This is a discretionary policy and Plex reserves the right to cancel or modify the policy at any point.
We are only rewarding people that find unknown vulnerabilities; anything that is already known (either by internal auditing or external reports) will not qualify for a reward.
We will not be able to pay anything to security researchers that reside in sanctioned countries. A current list can be found on this US Treasury Department page.
All qualifying reports are offered a free lifetime Plex Pass subscription. If you already have a Plex Pass or are not a Plex user, you will be offered the equivalent monetary value. Any monetary rewards are paid via PayPal only.
How to Submit Your Report
Please use the information here to report a potential security issue to Plex:
- Write to our Security team at [email protected]. If you’d like to encrypt your email, please use our public PGP key.
- Be sure to include relevant details in the report, such as platform, app/server version, necessary conditions for the exploit to work, a description with proof of concept or exploit code, the impact of the issue if exploited, etc.
- Do not contact individual Plex employee directly.
- Report only one vulnerability per email.
- Only submissions to this email address directly will be eligible for rewards.
If we have any questions related to the report, we’ll be sure to let you know. Thanks for helping us make Plex more secure for everyone!