LinkedIn will continue a bug bounty program that pays out to a closed group of security researchers, claiming that an invite-only approach reduces the number of irrelevant reports.
LinkedIn will continue a bug bounty program that pays out to a closed group of security researchers, reports PC World, claiming that an invite-only approach reduces the number of irrelevant reports.
Writing on the LinkedIn blog, the company’s director of information security Cory Scott said that the program was started in October 2014, and has already paid out $65,000 for more than 65 ‘actionable bugs’. The team of researchers are hand-picked and invited by the company to join the team, working closely with its own security experts.
“This private bug bounty program gives our strong internal application security team the ability to focus on securing the next generation of LinkedIn’s products while interacting with a small, qualified community of external researchers,” wrote Scott. “The program is invitation-only based on the researcher’s reputation and previous work.”
“An important factor when working with external security reports is the signal-to-noise ratio: the ratio of good actionable reports to reports that are incorrect, irrelevant, or incomplete,” he continued. “LinkedIn’s private bug bounty program currently has a signal-to-noise ratio of 7:3, which significantly exceeds the public ratios of popular public bug bounty programs.”
SC Magazine notes that LinkedIn has sought assistance from HackerOne, a San Francisco vulnerability management and bug bounty platform provider with customers including Adobe, Snapchat and Airbnb.
Meanwhile, companies including Facebook, Dropbox and Twitter have opened up their bug bounty schemes to the masses. Last year, Facebook rewarded security researchers to the sum of $1.3 million for successful reports, as reported by We Live Security back in February.
Photo: Eziutka / Shutterstock.com