Up to $18k in rewards are available through LinkedIn's bug bounty program -
post-template-default,single,single-post,postid-3732,single-format-standard,bridge-core-2.6.5,qode-news-3.0.2,qode-page-transition-enabled,ajax_fade,page_not_loaded,qode-page-loading-effect-enabled,,qode_grid_1400,footer_responsive_adv,hide_top_bar_on_mobile_header,qode-content-sidebar-responsive,qode-child-theme-ver-,qode-theme-ver-25.0,qode-theme-bridge,qode_header_in_grid,wpb-js-composer js-comp-ver-6.5.0,vc_responsive

Up to $18k in rewards are available through LinkedIn’s bug bounty program

Up to $18k in rewards are available through LinkedIn’s bug bounty program

LLinkedIn has launched a public bug bounty program to replace the invite-only program that has been running since 2014.


Critical security vulnerabilities discovered on the business-oriented social media platform will net researchers bounties ranging from $5,000 up to $15,000, while high severity issues will command rewards of between $2,500 and $5,000, and medium severity flaws will net bug hunters between $250 and $2,500.


The program, which is hosted by HackerOne, invites hackers to probe the main web domain, LinkedIn.com, for security flaws, as well as the LinkedIn API plus Android and iOS mobile apps.


Going public


In the scope of the Microsoft-owned platform are “implementation and design issues that substantially impact LinkedIn members’ data or LinkedIn infrastructure” such as cross-site scripting (XSS), cross-site request forgery (CSRF), SQL injection, and authentication, access control, and server-side code execution vulnerabilities.


“Our security team strives to provide a safe and secure experience for our 830 million members and customers by quickly addressing security vulnerabilities, constantly improving our defenses, and safeguarding our product development process,” said LinkedIn in a blog post announcing the news.


The private program had since its launch “awarded more than $250,000 across nearly 500 submissions covering the LinkedIn member platform and mobile applications,” it added.


“Because of the program’s success, we have decided to make the program public and expand participation to anyone wanting to report potential security vulnerabilities.”


LinkedIn, which connects business professionals with each other and job opportunities, was the source of two enormous data leaks in 2021, affecting 500 million and 700 million users respectively, but these were attributed to the scraping of public web pages rather than cyber-attacks.


However, the Silicon Valley company was apportioned blame, both by security experts and members of the US Congress, over a 2012 hack that it initially thought affected 6.4 million user passwords, but in 2016 transpired to comprise emails and passwords belonging to 117 million users.


source: portswigger