LinkedIn’s Private Bug Bounty Program Goes Public

LinkedIn has gone public with its private bug bounty program, first created in October of last year.

So far, participants have reported more than 65 actionable bugs—and the site has implemented fixes for each issue. In all, LinkedIn has paid out more than $65,000 in bounties, it said.

“This program grew out of engagement with security researchers over the past few years,” said Cory Scott, director of information security at LinkedIn, in a blog. “While the vast majority of reports were not actionable or meaningful, a smaller group of researchers emerged who always provided excellent write-ups, were a pleasure to work with, and genuinely expressed concern about reducing risk introduced by vulnerabilities. We created this private bug bounty program with them in mind—we appreciated working with people dedicated to coordinated disclosure practices and wanted to engage them in a deeper and mutually rewarding relationship.”

Even though LinkedIn evaluated creating a public bug bounty program, it has instead taken a different path in deciding to work with a select few of handpicked researchers to track down flaws.

The program is invitation-only based on the researcher’s reputation and previous work, and the social site evaluates what it calls the “signal-to-noise ratio”: That is, the ratio of good actionable reports to reports that are incorrect, irrelevant, or incomplete.

LinkedIn’s private bug bounty program currently has a signal-to-noise ratio of 7:3, it said, which significantly exceeds the public ratios of popular public bug bounty programs.

“Based on our experience handling external bug reports and our observations of the public bug bounty ecosystem we believe the cost-to-value of these programs no longer fit the aspirational goals they originally had,” Scott said.

The LinkedIn security team works directly with each participant to handle every bug submission from beginning to end. It also works with the team to uncover vulnerabilities prior to launch, through a design review and pre-release testing. This is important considering that LinkedIn ships code multiple times a day.

While the program remains nominally “private,” the reality is that researchers can submit vulnerabilities through the address. LinkedIn said that it does encourage anyone to report bugs, and said that it would respond to all legitimate enquiries.

What’s Hot on Infosecurity Magazine?