LinkedIn’s invite-only bug bounty program has been running since 2014 getting replaced by a public bug bounty.
Security vulnerabilities that are rated critical which are discovered on the business-oriented platform will reward researchers’ bounties ranging from $5,000 up to $15,000, while high severity issues will command rewards of between $2,500 and $5,000, and medium severity flaws will net bug hunters between $250 and $2,500.
The program, which is hosted by HackerOne, invites hackers to probe the main web domain, LinkedIn.com, for security flaws, as well as the LinkedIn API plus Android and iOS mobile apps.
Platform scoped with a wider range of vulnerabilities that includes “implementation and design issues that substantially impact LinkedIn members’ data or LinkedIn infrastructure” such as cross-site scripting (XSS), cross-site request forgery (CSRF), SQL injection, authentication, access control, and server-side code execution vulnerabilities.
Our security team strives to provide a safe and secure experience for our 830 million members and customers by quickly addressing security vulnerabilities, constantly improving our defenses, and safeguarding our product development process.Linkedin statement
The private program had since its launch awarded more than $250,000 across nearly 500 submissions covering the LinkedIn member platform and mobile applications, and because of the program’s success, we have decided to make the program public and expand participation to anyone wanting to report potential security vulnerabilities.LinkedIn statement
LinkedIn, which connects business professionals with each other and job opportunities, was the source of two enormous data leaks in 2021, affecting 500 million and 700 million users respectively, but these were attributed to the scraping of public web pages rather than cyber-attacks.
But LinkedIn was blamed, both by security experts and members of the US Congress, over hacks that took place earlier. In the year 2012- initially, findings were that 6.4 million passwords were leaked, but in 2016 transpired to comprise emails and passwords belonging to 117 million users.