Security Experts:

LinkedIn Paid Out Over $65,000 in Private Bug Bounty Program

LinkedIn has been running a private bug bounty program through the HackerOne platform since October 2014. The business-oriented social networking service provided on Wednesday some details on the benefits of having such a program.

According to Cory Scott, LinkedIn’s director of information security, researchers reported a total of 65 “actionable” vulnerabilities since the launch of the program. The company has awarded these individuals more than $65,000 for their contribution to making the service more secure.

LinkedIn says it has received numerous vulnerability reports at its dedicated email address, security(at)linkedin.com. While many of the reports sent through this channel have not been actionable or meaningful, a small group of researchers have regularly submitted useful information. The private bug bounty program was launched for these individuals, Scott said.

“We did evaluate creating a public bug bounty program. However, based on our experience handling external bug reports and our observations of the public bug bounty ecosystem we believe the cost-to-value of these programs no longer fit the aspirational goals they originally had,” Scott explained in a blog post. “This private bug bounty program gives our strong internal application security team the ability to focus on securing the next generation of LinkedIn’s products while interacting with a small, qualified community of external researchers.”

Scott has pointed out that public programs have a poor signal-to-noise ratio due to numerous incorrect, incomplete or irrelevant reports. On the other hand, the signal-to-noise ratio of the private program is currently 7:3.

LinkedIn is encouraging users to continue submitting vulnerability reports via the security(at)linkedin.com email address, but the company’s bug bounty program remains private. The program is invitation-only; LinkedIn says it selects researchers based on their reputation and previous work.

The number of researchers currently enrolled in the bug bounty program is not being released. Those who express interest in the program will be evaluated by the LinkedIn security team, but the company says it’s currently not accepting additional researchers into the program.

LinkedIn plans on releasing annual reports detailing the number of bugs submitted through the program and the amount of money paid out to contributing researchers.

It’s not surprising that LinkedIn wants to make sure its systems are properly secured against hacker attacks. In 2012, the company suffered a data breach in which attackers obtained 6.5 million customer records. Shortly after the incident, the social media giant announced that it had spent between $500,000 and $1 million on investigating and addressing the breach.

Related: Google Launches Android Security Rewards Program

Related: United Airlines Offers Air Miles in New Bug Bounty Program

Related: Dropbox Launches Bug Bounty Program

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.