LinkedIn's director of information security has confirmed that the company has joined the ranks of other major companies with bug bounty programmes, including Twitter, Dropbox and Facebook – a fact that remained under wraps for months, as the initiative is an “invitation-only” programme.
In a blog post last Wednesday Cory Scott revealed that LinkedIn's private bug bounty programme was formalised in October 2014, and has since resulted in more than £41,000 in bounties for researchers who reported more than 65 'actionable bugs' to the company. Having seen that the “vast majority” of bug reports submitted to the company “were not actionable or meaningful,” LinkedIn decided to create a private bug bounty programme – one driven by a smaller number of participants who could work closely and effectively with LinkedIn's security team.
“This private bug bounty programme gives our strong internal application security team the ability to focus on securing the next generation of LinkedIn's products while interacting with a small, qualified community of external researchers,” Scott wrote. “The programme is invitation-only based on the researcher's reputation and previous work.”
“An important factor when working with external security reports is the signal-to-noise ratio: the ratio of good actionable reports to reports that are incorrect, irrelevant, or incomplete,” he continued. “LinkedIn's private bug bounty programme currently has a signal-to-noise ratio of 7:3, which significantly exceeds the public ratios of popular public bug bounty programmes.”
Along the way, LinkedIn engaged the assistance of HackerOne, a San Francisco vulnerability management and bug bounty platform provider whose customers already include Twitter, Adobe, Snapchat and Airbnb.
In the midst of tech companies introducing such researcher-friendly policies, the American Civil Liberties Union (ACLU) recently urged the US government to establish bug bounty programmes and disclosure policies for its varying agencies. In May, the ACLU wrote a letter to the Commerce Department's Internet Policy Task Force offering recommendations that would help get such efforts underway and, overall, make it easier for researchers to communicate security concerns affecting the public to the government.
LinkedIn's Scott noted that the company still accepts vulnerability reports through security@linkedin[.]com, and that it continues to encourage “anyone to report bugs,” though its bug bounty programme will remain private.
“We did evaluate creating a public bug bounty programme. However, based on our experience handling external bug reports and our observations of the public bug bounty ecosystem, we believe the cost-to-value of these programmes no longer fit the aspirational goals they originally had,” he said.