Security Experts:

Connect with us

Hi, what are you looking for?



LinkedIn Paid Out Over $65,000 in Private Bug Bounty Program

LinkedIn has been running a private bug bounty program through the HackerOne platform since October 2014. The business-oriented social networking service provided on Wednesday some details on the benefits of having such a program.

LinkedIn has been running a private bug bounty program through the HackerOne platform since October 2014. The business-oriented social networking service provided on Wednesday some details on the benefits of having such a program.

According to Cory Scott, LinkedIn’s director of information security, researchers reported a total of 65 “actionable” vulnerabilities since the launch of the program. The company has awarded these individuals more than $65,000 for their contribution to making the service more secure.

LinkedIn says it has received numerous vulnerability reports at its dedicated email address, security(at) While many of the reports sent through this channel have not been actionable or meaningful, a small group of researchers have regularly submitted useful information. The private bug bounty program was launched for these individuals, Scott said.

“We did evaluate creating a public bug bounty program. However, based on our experience handling external bug reports and our observations of the public bug bounty ecosystem we believe the cost-to-value of these programs no longer fit the aspirational goals they originally had,” Scott explained in a blog post. “This private bug bounty program gives our strong internal application security team the ability to focus on securing the next generation of LinkedIn’s products while interacting with a small, qualified community of external researchers.”

Scott has pointed out that public programs have a poor signal-to-noise ratio due to numerous incorrect, incomplete or irrelevant reports. On the other hand, the signal-to-noise ratio of the private program is currently 7:3.

LinkedIn is encouraging users to continue submitting vulnerability reports via the security(at) email address, but the company’s bug bounty program remains private. The program is invitation-only; LinkedIn says it selects researchers based on their reputation and previous work.

The number of researchers currently enrolled in the bug bounty program is not being released. Those who express interest in the program will be evaluated by the LinkedIn security team, but the company says it’s currently not accepting additional researchers into the program.

LinkedIn plans on releasing annual reports detailing the number of bugs submitted through the program and the amount of money paid out to contributing researchers.

It’s not surprising that LinkedIn wants to make sure its systems are properly secured against hacker attacks. In 2012, the company suffered a data breach in which attackers obtained 6.5 million customer records. Shortly after the incident, the social media giant announced that it had spent between $500,000 and $1 million on investigating and addressing the breach.

Related: Google Launches Android Security Rewards Program

Related: United Airlines Offers Air Miles in New Bug Bounty Program

Related: Dropbox Launches Bug Bounty Program

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.