Why LinkedIn chose to keep its bug bounty program private
Bug bounty programs have become de rigueur for tech and Internet companies that want to improve the security of their products by (partly) outsourcing bug discovery. But while most companies opt for public programs, LinkedIn has decided to keep its program private.
Started in October 2014, the program has so far received 65 actionable bugs, and they awarded over $65,000 in bounties. The flagged issues have been fixed.
“This program grew out of engagement with security researchers over the past few years. While the vast majority of reports submitted to our notification email address firstname.lastname@example.org were not actionable or meaningful, a smaller group of researchers emerged who always provided excellent write-ups, were a pleasure to work with and genuinely expressed concerned about reducing risk introduced by vulnerabilities,” Cory Scott, director of information security at LinkedIn, explained in a blog post.
“We created this private bug bounty program with them in mind – we appreciated working with people dedicated to coordinated disclosure practices and wanted to engage them in a deeper and mutually rewarding relationship.”
While researchers can still report bugs that impact LinkedIn and/or its users via the aforementioned email address, the bug bounty program is for those who have “proven” themselves.
“The program is invitation-only based on the researcher’s reputation and previous work,” Scott shared. The reason they chose to go the private way is so that they could concentrate more on reports that are more likely to be actionable.
“Our security team works directly with each participant to handle every bug submission from beginning to end. The design of our program means that we can give the researchers who are part of our program the same experience they would have if they were on our team filing bugs right alongside us,” he added.
The program has been set up via HackerOne in order to simplify the process of paying out successful hunters.
“We wanted to make sure we were delivering strong results before we talked about the program; we are seeing great things so far,” Scott explained. “Sharing our different approach can also add some nuance to the dialogue that others may find useful.”
And responsible vulnerability reporting is definitely a subject that inspires widely different opinions.