This week, LinkedIn's director of information security shared that the company has joined the ranks of other major companies with bug bounty programs, including Twitter, Dropbox and Facebook – a fact that remained under wraps for months, as the initiative is an “invitation-only” program.
In a Wednesday blog post, Cory Scott revealed that LinkedIn's private bug bounty program was formalized in October 2014, and has since resulted in more than $65,000 in bounties for researchers who reported more than 65 “actionable bugs” to the company. Having seen that the “vast majority” of bug reports submitted to the company “were not actionable or meaningful,” LinkedIn decided to create a private bug bounty program – one driven by a smaller number of participants who could work closely and effectively with LinkedIn's security team.
“This private bug bounty program gives our strong internal application security team the ability to focus on securing the next generation of LinkedIn's products while interacting with a small, qualified community of external researchers,” Scott wrote. “The program is invitation-only based on the researcher's reputation and previous work.”
“An important factor when working with external security reports is the signal-to-noise ratio: the ratio of good actionable reports to reports that are incorrect, irrelevant, or incomplete,” he continued. “LinkedIn's private bug bounty program currently has a signal-to-noise ratio of 7:3, which significantly exceeds the public ratios of popular public bug bounty programs.”
Along the way, LinkedIn engaged the assistance of HackerOne, a San Francisco vulnerability management and bug bounty platform provider whose customers already include Twitter, Adobe, Snapchat and Airbnb.
In the midst of tech companies introducing such researcher-friendly policies, the American Civil Liberties Union (ACLU) recently urged the U.S. government to establish bug bounty programs and disclosure policies for its varying agencies. In May, the ACLU wrote a letter to the Commerce Department's Internet Policy Task Force offering recommendations that would help get such efforts underway and, overall, make it easier for researchers to communicate security concerns affecting the public to the government.
LinkedIn's Scott noted that the company still accepts vulnerability reports through security@linkedin[.]com, and that it continues to encourage “anyone to report bugs,” though its bug bounty program will remain private.
“We did evaluate creating a public bug bounty program. However, based on our experience handling external bug reports and our observations of the public bug bounty ecosystem, we believe the cost-to-value of these programs no longer fit the aspirational goals they originally had,” he said on Wednesday.