Social media platform ends private program after paying $250,000 in rewards over eight years

LinkedIn has launched a public bug bounty program to replace the invite-only program that has been running since 2014.

Critical security vulnerabilities discovered on the business-oriented social media platform will net researchers bounties ranging from $5,000 up to $15,000, while high severity issues will command rewards of between $2,500 and $5,000, and medium severity flaws will net bug hunters between $250 and $2,500.

The program, which is hosted by HackerOne, invites hackers to probe the main web domain, LinkedIn.com, for security flaws, as well as the LinkedIn API plus Android and iOS mobile apps.

Going public

In scope on the Microsoft-owned platform are “implementation and design issues that substantially impact LinkedIn members’ data or LinkedIn infrastructure” such as cross-site scripting (XSS), cross-site request forgery (CSRF), SQL injection, authentication, access control, and server-side code execution vulnerabilities.

“Our security team strives to provide a safe and secure experience for our 830 million members and customers by quickly addressing security vulnerabilities, constantly improving our defenses, and safeguarding our product development process,” said LinkedIn in a blog post announcing the news.


Read more of the latest bug bounty news


The private program had since its launch “awarded more than $250,000 across nearly 500 submissions covering the LinkedIn member platform and mobile applications,” it added.

“Because of the program’s success, we have decided to make the program public and expand participation to anyone wanting to report potential security vulnerabilities.”

LinkedIn, which connects business professionals with each other and job opportunities, was the source of two enormous data leaks in 2021, affected 500 million and 700 million users respectively, but these were attributed to scraping of public web pages rather than cyber-attacks.

However, the Silicon Valley company was apportioned blame, both by security experts and members of the US Congress, over a 2012 hack that it initially thought affected 6.4 million user passwords, but in 2016 transpired to comprise emails and passwords belonging to 117 million users.


RELATED Yik Yak fixes information disclosure bug that leaked users’ GPS location