Public-facing bug bounties are the shiny new bauble of computer security. And with good reason since in most cases, companies that start their own bounties or go through a third-party platform provider are able to take advantage of a pool of skilled contributors, patch products, and improve security overall.
LinkedIn has taken a decidedly quieter approach. Since October, it has been running a private bug bounty program that it says has helped its application security team weed out less critical bugs and focus on submissions largely from researchers already participating in its vulnerability disclosure process.
The company today decided to share some of its early successes, in particular that it has patched 65 bugs via its program and paid out more than $65,000.
“The discussions around bug bounties have presumed that you should either have a public, take-all-comers approach or use a third-party service to manage the entire program for you like an outsourced penetration test (which is also not a great idea),” said Cory Scott, director of information security at LinkedIn. “Our approach is different and sharing it can add some nuance to the dialogue that others may find useful. We wanted to make sure we were delivering strong results before we talked about the program and have seen success to date.”
Scott said that LinkedIn’s decision to keep its bounty program private and to a smaller circle of contributors gives its application security team confidence that bug submissions won’t be poorly researched or irrelevant. If the program were public, for example, Scott said that providing response and analysis on each report would require considerable resources if those bugs are to be addressed promptly.
“We’ve seen the signal-to-noise ratio of public bug bounty programs continue to degrade, requiring companies to hire dedicated resources, engage consultancies, or use their platform vendor to sift through all of the bug reports to find actionable reports,” Scott said. “Instead of going down that route, we saw a group of researchers who had disclosed bugs to us without any expectation of payment through our vulnerability disclosure process, and we said, ‘Hey, we like working with these guys – we know our platform, they’re interested in working with us in a coordinated fashion – why not get them in a program that will reward them as they do their research moving forward?’ That’s the spirit of how the original bounty programs started, and I think this is a model for how to bring it back to the original intent.”
Scott said that LinkedIn, in addition to its existing contributors, also invited some researchers who participated in other bounty programs and whose reputations were strong in terms of submission reports and research. So far, it’s paid out $65,000 in its first eight months, primarily for implementation and design issues that would put either user data or LinkedIn’s architecture at risk, Scott said. Some of the bugs in scope are perpetual application security issues such as cross-site scripting, cross-site request forgery, SQL injection, authentication flaws, access control issues that impact member-to-member communications or other data that is not shared with connections, and server-side code execution bugs. Scott would not disclose any specific bugs or classes of bugs that have been eliminated because of a submission to its program.
“We’ve been able to give bonus awards to certain types of research that show creativity or persistence due to our ability to reduce noise. Another advantage of our private program is that we’re not needing to deal with the gamesmanship present in many bug bounty programs, where you end up paying a bounty on bugs that end up in the category of “not meaningful yet within the rules” – our private bounty researchers don’t tend to go down this path,” Scott said. “They’re much more interested in finding actionable bugs that impact our members.”
Scott said that LinkedIn could someday consider a public bounty for targeted testing or objectives. In the meantime, it joins a litany of other leading technology companies that have turned to some facet of crowdsourcing for vulnerability research.
“I think bounty programs can represent an overture to the public that your company cares about security bugs and wants to establish a good path of disclosure. However, lots of companies have been running successful vulnerability disclosure programs without bounties for many years without much attention,” Scott said. “Without offering a bounty for participation, it’s difficult to market these programs as anything other than a traditional response process. The goal is to find the right balance to get good bugs, treat researchers right, and let the public know that you’re exploring every potential avenue to protect their data.”