LinkedIn reveals invitation-only bourgeois bug bounty

Proven: Researchers are signal, the rest of you are noise


LinkedIn has revealed the closed-door bug bounty program it has run for the last eight months, paying out $65,000 in vulnerability rewards along the way. But the company is keeping the door to the scheme firmly closed.

The if-you-need-to-ask-you'll-never-know bounty is designed to cut you the noise from the signal so that only proven security researchers who have delivered consistent vulnerabilities to the LinkedIn security email inbox are invited.

Those crowding the inbox with phishing risks and clickbait attacks have been excluded, allowing LinkedIn to treat external bug hunters as one of their own, information security head Cory Scott says.

"The participants in our private bug bounty program have reported more than 65 actionable bugs and we have successfully implemented fixes for each issue," Scott says ahead of a presentation to be given at BlackHat 2015.

"While the vast majority of reports submitted … were not actionable or meaningful, a smaller group of researchers emerged who always provided excellent write-ups, were a pleasure to work with and genuinely expressed concerned about reducing risk introduced by vulnerabilities.

"This private bug bounty program gives our strong internal application security team the ability to focus on securing the next generation of LinkedIn’s products while interacting with a small, qualified community of external researchers.."

Hackers are invited based on their reputation and previous work, which Scott says contributes to the program's superior signal-to-noise ratio of 7:3 which "significantly exceeds" that of popular public bug bounties.

Scott still encourages the security proletariat to continue submitting bugs to the security@LinkedIn inbox which is monitored.

LinkedIn uses the HackerOne managed bug bounty service to help manage payments that Scott says can be an accounting pain.

The career confab club turned its focus to security after a devastating 2012 breach when some the SHA-1 hashed passwords of some 6.5 million people were exposed.

It opened its security blog in April and has sent its application, networking, and infrastructure security bods off to speak at conferences. ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2021