Security

LinkedIn Bug Bounty Program - One Year Anniversary of Public Launch

Authors: Ameen Maali, Rohit Pitke, Surbhi Jain, and Mira Thambireddy

Security of our members’ data is a key priority at LinkedIn. To tap into the collective insights of the entire security community, we decided to expand our private bug bounty program to everyone on the HackerOne platform last year. In this blog post, we reflect on our journey through the program’s inception, the successes, the learnings, and discuss why our bug bounty program has been so valuable in keeping LinkedIn a secure and trustworthy platform.

Private Program Overview

Road to Public launch

In 2014, Linkedin's Product Security team launched a private bug bounty program with the goal of reducing risk in our applications while maintaining a very high signal-to-noise ratio. Invitations to the program were primarily determined from high quality engagement with security researchers via our Security mailing lists.

Over the years, we built, managed, and continued to improve the program and leveraged its value to improve the effectiveness of our Security teams, and in turn our products. Based on our experience running the private program, the value it brought to the team and the broader business, we decided to scale this program further, opening up the program to all researchers on the HackerOne platform. 

The journey to the public launch was fun, exciting, and full of late nights and plenty of learnings for the team. We started by thinking about what it would mean to first scale from a few hundred researchers in the program to a few thousand. This was our “Controlled Launch” phase, and included technology updates like consistently following CVSS-based criteria to triage incoming reports, ramping up our internal service level agreements (SLAs), HackerOne-Jira (our internal defect tracking system) integration, etc. We onboarded the HackerOne Triage team as the first line of responders so our Product Security team could focus on actual security reports. We updated our policy so the program details & rules were crisp and clear, and expanded our yearly bounty budget and bounty payouts to prepare for the upcoming public launch. Additionally, we planned extensively with our Legal and Comms teams to ensure that we could clearly communicate the value of the program to our members, customers and the outside tech community, as well as help us get ahead of any potential issues, post-launch.

The next step was to determine if we were actually ready to flip the switch. For that, we started measuring multiple program statistics like the number of incoming reports and Critical/High severity issues along with the HackerOne SLAs, Internal SLAs, etc. We also monitored some of the non-quantifiable parameters like workflow between HackerOne Triage and our Product Security teams, ease of triaging process, and preparedness of the team to cater to incoming rush of reports when launched publicly. 

After a few more in-depth sessions with our CISO, Geoff Belknap, we launched our program publicly on HackerOne on May 18th, 2022.

The Numbers

Submissions

As we progressively ramped up our program from private to a public launch, we saw a steady increase in the number of reports received. However, once the public launch was live, the volume of reports surged significantly.

Graphic of the average reports received per month

While the number of incoming reports has increased since our public launch, so have the number of non-security reports.

Graphic of the number of invalid reports received

As expected, we saw a substantial increase in the number of invalid or non-security reports as a public program compared to our time as a private program. To prepare for this surge, we onboarded the HackerOne Triage team to help us filter the incoming reports so that only actual security reports were delivered to our Product Security team.

Bounties

As expected, the growing number of valid security issues has resulted in a significant rise in the amount of bounties awarded. Over the past three years, we have observed an approximate 100% annual increase in the total amount of bounties paid out. This upward trend highlights the valuable contributions and dedication of our security community in identifying and responsibly disclosing vulnerabilities. 

Chart showing bounties paid out

These statistics emphasize the importance of carefully considering budget allocation and bounty payouts when transitioning your program from private to public. By analyzing these numbers, organizations can gain valuable insights into the potential financial implications of running a public program. It is crucial to allocate sufficient resources to ensure the successful management of incoming reports and the fair compensation of security researchers. 

Researcher Engagement

The number of active participants of our public program is over 5 times higher than our private program, meaning researchers are actively researching and coming back to submit multiple reports regularly. 

Chart showing researcher engagement

As anticipated, the program experienced a significant increase in the number of researchers submitting security reports, which has been instrumental in providing us with a broader range of perspectives. This influx of talented researchers has enriched the program by bringing in diverse skill sets, experiences, and insights. 

Interesting Bugs

Our public bug bounty program has allowed us to remediate high risk and important vulnerabilities on LinkedIn products, ultimately protecting and safeguarding our members’ data. Here are some of the most interesting or impactful reports we’ve seen (these publicly disclosed bugs have been fixed and we have not found any evidence of their exploitation):

Access Control Issue Allowing Unauthorized Recruiter Access to Resumes

A researcher found an access control issue which allowed a recruiter to download resumes without the appropriate access. The issue was identified by the security researcher within a month of it being accidentally introduced via an unrelated bug fix. The bug was fixed within 24 hours of being notified and helped improve our processes to proactively detect security issues that may get introduced during activities such as minor functional bug fixes.

Access Control Issue Allowing Unauthorized Access to Draft Job Data

A researcher found an access control issue which allowed an unauthorized user to view data related to job posts that were not yet published. Because we always want to ensure that all non-public data is adequately protected, we undertook an initiative to identify similar issues and areas for improvement to strengthen controls around protecting draft data.

Unauthorized Access to View Subscribers of Other Users’ Newsletters

A researcher found an access control issue which allowed unauthorized users to view the subscriber list of other users' newsletters. This issue also enabled us to identify similar areas to strengthen security controls and processes across the board for other potential similar access control issues.

Looking Back

As we reflect on the past year, the public bug bounty program helped us improve processes, and strengthen defenses across our products and platforms. This was primarily possible due to the breadth of experience of the researchers. Here are some key takeaways from our journey so far:

  1. Automation helps a great deal to scale the program. Invest in automation wherever possible throughout the lifecycle of a vulnerability.

  2. Invest time in establishing relationships with your bug bounty platform (HackerOne in our case) to streamline internal workflows and researcher experience.

  3. Ensure that there is crisp guidance regarding disclosure requests while allowing researchers to share their findings publicly for the overall community to learn from.

  4. Assign fair and clearly defined bounty rewards for researcher contributions. Publish clear guidelines regarding the triage process and criteria in the program policy to be transparent to all participants.

  5. Uphold reasonable standards for timely responses throughout various stages of researcher interactions (e.g., initial triage, bounty awards, retests, etc.)

Researcher Spotlight

One of the major benefits of running a bug bounty program is the ability to work, collaborate, and build relationships with the top security researchers in the world. Some of the top researchers on the program had this to say regarding their experience on LinkedIn’s bug bounty program:

"The LinkedIn bug bounty program is the best program in my opinion. I really like helping Linkedin to make it safer so that users feel comfortable (because I'm also a user on Linkedin). I like the response of the LinkedIn staff who are transparent and honest in handling the vulnerability reports that I send.”

- @amr_id

"As a committed LinkedIn user, I am grateful for the opportunity to contribute to the safety of this platform through the bug bounty program. The complexity and interconnectivity of LinkedIn's product ecosystem presents an engaging and thought-provoking challenge for security testing.

What stands out most to me is the responsive and collaborative nature of the LinkedIn team. Their swift and comprehensive responses to submitted reports is commendable. If there are uncertainties or areas of concern, they are dedicated to collaborative problem solving, which I highly appreciate.

I firmly believe that LinkedIn's open bug bounty program has significantly strengthened the security of their products over the years. The continuous collaboration and responsiveness have played a crucial role in this transformation. I look forward to further contributing to LinkedIn's pursuit of excellence in cybersecurity."

- @headhunter

What’s Next

As we progress on this journey, we are committed to keeping you informed with the latest developments. Stay tuned for exciting updates, as we have some noteworthy additions planned, such as the integration of more applications, enhanced incentives, and closer collaborations with the broader security community. 

Acknowledgements

First and foremost, we are grateful to the Bug Bounty community for their engagement with our program, and look forward to many years of continued engagement. We are also grateful to multiple cross-functional teams at LinkedIn for their contribution.