LinkedIn’s Private Bug Bounty Program
Reducing Vulnerabilities by Leveraging Expert Crowds
June 17, 2015
One of the best ways we protect our members is by identifying vulnerabilities prior to launch through a careful design review and pre-release testing. In this rapidly changing environment where we ship code multiple times a day, we also keep an eye out for vulnerabilities in production.
Our strong relationship with the security community is crucial to this process and we appreciate the work of individual researchers who contribute their expertise and time to make LinkedIn a safer place for our members. In October 2014, we formalized this partnership with the creation of LinkedIn’s private bug bounty program.
The participants in our private bug bounty program have reported more than 65 actionable bugs and we have successfully implemented fixes for each issue. The participants have given us positive feedback on the program and in return for their work we’ve paid out more than $65,000 in bounties.
Why a private program?
This program grew out of engagement with security researchers over the past few years. While the vast majority of reports submitted to our notification email address firstname.lastname@example.org were not actionable or meaningful, a smaller group of researchers emerged who always provided excellent write-ups, were a pleasure to work with and genuinely expressed concerned about reducing risk introduced by vulnerabilities. We created this private bug bounty program with them in mind – we appreciated working with people dedicated to coordinated disclosure practices and wanted to engage them in a deeper and mutually rewarding relationship.
Our security team works directly with each participant to handle every bug submission from beginning to end. The design of our program means that we can give the researchers who are part of our program the same experience they would have if they were on our team filing bugs right alongside us. When building our program, we recognized that logistics around payment and tracking requires a service provider. We selected HackerOne to assist us, specifically for their team’s ability to manage payments, a process that requires significant diligence for tax reporting and accounting.
We did evaluate creating a public bug bounty program. However, based on our experience handling external bug reports and our observations of the public bug bounty ecosystem we believe the cost-to-value of these programs no longer fit the aspirational goals they originally had.
This private bug bounty program gives our strong internal application security team the ability to focus on securing the next generation of LinkedIn’s products while interacting with a small, qualified community of external researchers. The program is invitation-only based on the researcher’s reputation and previous work. An important factor when working with external security reports is the signal-to-noise ratio: the ratio of good actionable reports to reports that are incorrect, irrelevant, or incomplete. LinkedIn’s private bug bounty program currently has a signal-to-noise ratio of 7:3, which significantly exceeds the public ratios of popular public bug bounty programs.
We continue to handle a significant number of vulnerabilities through email@example.com and encourage anyone to report bugs. We take pride in our professional and timely response to anyone who contacts us to share a vulnerability that could impact LinkedIn and our members.
We wanted to make sure we were delivering strong results before we talked about the program; we are seeing great things so far. Sharing our different approach can also add some nuance to the dialogue that others may find useful. We’ll have a lot more to say about public and private bug bounties as well as our application security program at Black Hat USA this year. Our Senior Technical Program Manager David Cintz and I will be presenting “The Tactical Application Security Program: Getting Stuff Done.” at the Briefings. Come by and see us!