LinkedIn Bug Bounty Program: What You Need to Know
With the rising number of companies and startups worldwide and the growing need for security, it's no surprise that many tech firms are making the most of bug bounty programs.
In cybersecurity, a bug bounty program is a type of program that enables companies to get detailed reports about the vulnerabilities in their systems.
Bug bounty platforms like Hackerone and Bugcrowd and others connect companies with security professionals, researchers, and ethical hackers who can identify security issues and vulnerabilities for these companies. In return, companies offer monetary rewards to ethical hackers for uncovering critical bugs.
And if you're wondering what type of companies often resort to bug bounty programs, then you'll be happy to know that it's the larger companies. Firms like Meta (formerly Facebook), Google, and other tech giants. LinkedIn also has its own bug bounty program that it uses to uncover bugs and vulnerabilities to patch up.
In this article, we'll be focusing on the LinkedIn Bug Bounty Program, everything there is to know about it, and how much tech companies offer in bug bounties.
What is the LinkedIn Bug Bounty Program?
In mid-2015, LinkedIn revealed that it had been testing its own bug bounty program since October the year before.
Between October 2014 and July 2015, LinkedIn said it had "patched 65 bugs and paid $65,000 in rewards" to ethical hackers.
The LinkedIn bug bounty program supports LinkedIn's application security team and enables it to uncover "less critical bugs" and focus on submissions from researchers, according to ThreatPost.
Former LinkedIn director of information security Cory Scott had said during his talk about bug bounty programs in 2015 that talks about such programs had "presumed that you should either have a public, take-all-comers approach or use a third-party service to manage the entire program for you like an outsourced penetration test (which is also not a great idea)."
Scott further described LinkedIn's approach as "different," indicating that the firm was sharing its approach to helping others.
"We wanted to make sure we were delivering strong results before we talked about the program and have seen success to date,” Linkedin's former information security director had revealed.
So if you're wondering whether LinkedIn has a bug bounty program, the answer is Yes.
Continue reading to learn more about the LinkedIn bug bounty program.
What are LinkedIn Bug Bounty Program Rules?
In terms of rules, the LinkedIn bug bounty program is a private "invitation-only" type of program. Invitations are based on "the researcher's reputation and previous work," LinkedIn explains.
Usually, these invite-only participants are people who have "submitted quality reports and [LinkedIn has] enjoyed working with," the company reveals via its HackerOne page. "At times, we may reach out to additional reputable individuals we believe would benefit the program," LinkedIn adds.
That said, if you're an ethical hacker or security researcher who has found a bug or issue, you may report it despite not being part of the LinkedIn bug bounty program.
How to Report a Bug to LinkedIn
To report a bug or vulnerability outside of the LinkedIn bounty program, security researchers need to review LinkedIn's disclosure policy, which states that:
- LinkedIn does not allow security researchers to conduct security testing that "attempts to degrade, interrupt, or deny service (DoS)" to any of its members.
- Vulnerability research does not include or extend to security researchers "accessing or modifying member data" that doesn't belong to them. "All testing should be conducted against accounts that are under a researcher's control," LinkedIn stresses.
- All notifications for bugs or vulnerabilities must be made via email to [email protected]. "Don't submit vulnerabilities on any LinkedIn forums or comment pages," it says.
LinkedIn goes on to say that their security team will respond in a timely manner to all bug and vulnerability reports it receives outside of the private bug bounty program.
"Priority will be given to encrypted reports, and please include your PGP key for replies. We also expect researchers to keep the details of the vulnerability private until a fix is released," LinkedIn states via its Help Center.
How does the Bounty Program Work for LinkedIn?
LinkedIn's private bug bounty program helps the company's internal application security team "focus on securing the next generation of LinkedIn’s products." The bounty program helps LinkedIn interact with a "qualified community of external researchers," LinkedIn explains.
However, there are some disqualifiers for people reporting bugs to LinkedIn.
Researchers will be disqualified from participating in the program if they "make threats; demand money/payments/entry into the program in exchange for bugs; publicly disclose vulnerabilities without responsibly disclosing it to LinkedIn first."
Security researchers will also not be eligible for the LinkedIn bounty program if they "spam the security alias; degrade, interrupt or deny service to our users; modify, copy, download, delete or otherwise misuse other members’ data, [and] access non-public member information without authorization," LinkedIn adds.
LinkedIn also stresses that any security researcher who violates the LinkedIn User Agreement will be disqualified from the bug bounty program.
Becoming a Bug Bounty Hunter
If you're looking to join the ranks of bug bounty hunters around the world, you'll need to have a clear understanding of how web apps work and the architecture behind the creation of these apps.
A bug bounty hunter's skills and knowledge should also include information gathering, SQL injection, Server Side Request Forgery (SSRF), Cross-Site Scripting (XSS), information disclosure, and local and remote file inclusion among others.
How much do Bug Bounties Pay?
If you're wondering how well you can get paid if you become a bug bounty hunter, then you should know you may be able to make a decent sum. But it's not an overnight opportunity for success.
Bug bounty platform HackerOne reports that between 2019 and 2020, resolved vulnerabilities doubled. Moreover, a total of $44.75 million in bounty rewards was paid to ethical hackers from across the world.
Moreover, HackerOne reveals that at least 9 security researchers have earned $1 million or more via their platform since its establishment.
But that doesn't mean they have made that $1 million in a year or two. This figure indicates an accumulated sum.
HackerOne also reveals that the average bounty paid in 2020 for critical vulnerabilities amounted to $3,650.
Bug bounty payouts differ based on how critical the bugs reported are and differ from one company to another.
For example, Intel pays a minimum bug bounty of $500. However, they pay up to $30,000 for critical bugs, according to Guru99.
Meanwhile, Yahoo doesn't have a minimum payment but their maximum bug bounty payout reaches $15,000. Snapchat pays a minimum bug bounty of $2000 and a maximum of $15,000 for critical bugs.
Meta has no minimum limit but maximum payment can go up to as much as $45,000 as a maximum bounty, reports GeekFlare.
As you can see, there are many benefits that come with being a bug bounty hunter and joining bug bounty programs.
Although bug bounties may not provide the financial security you're looking for, they do provide security researchers and ethical hackers with unique growth opportunities in the cybersecurity sector and industry.
As a bug bounty hunter, you should have organizational skills. You'll also need to be proactive in building your ethical hacking skills.
And since being a bug bounty hunter means there's an ongoing self-learning process, it's best if you join an ethical hacking community.
If you're looking to give your ethical hacking skills a boost, visit CyberTalents' For Talent page where you can practice by solving various challenges, taking relevant courses, or finding work.
Further reading about Bug Bounty:
How To Become A Bug Bounty Hunter In 2020