LinkedIn
LinkedIn believes that close partnerships with security researchers makes us all more secure. Security researchers play an integral role in our ecosystem by discovering vulnerabilities that went undiscovered during the software development process. We partner with security researchers to better protect our millions of members worldwide.
If you are a security researcher that has found a vulnerability on LinkedIn, we want to hear from you. You can submit a report by clicking on “Submit Report” on this page. And if your report affects a product or service that is within the scope of our bounty program, you may receive a bounty award.
We want to award you for your research: Submissions that contain steps to reproduce your proof of concept along with a detailed analysis are eligible for quicker awards because they help us quickly assess the risk posed by a vulnerability.
We are looking for new and novel vulnerabilities: Your contributions help us address vulnerabilities we did not discover during the development process or do not already know about. If you are the first external researcher to identify a vulnerability we already know about and are working to fix, you may still be eligible for a bounty award if there is new information within your report that we were previously not aware of.
Avoid harm to member data, privacy, and service availability: Since security research may depend on services that our members use and depend on, avoid research that violates member privacy, destroys data, or interrupts service. If you discover confidential member data while researching, stop and contact us immediately so we can work with you to address the issue.
Follow the disclosure process: If you find a vulnerability, report it to us privately and give us the opportunity to correct it and protect our members. We work on reports diligently in order to address them quickly, and in recognition of your partnership we offer bounty awards and will acknowledge your contributions when the vulnerability is fixed.
Please review the program rules carefully before you submit a bug report. By participating in LinkedIn’s Bug Bounty program, you agree to be bound by these rules. As part of our security program at LinkedIn, we recognize and encourage responsible security research into our LinkedIn applications.
Implementation and design issues that substantially impact LinkedIn members’ data or LinkedIn infrastructure are within scope. Examples of these would include:
Cross-site scripting
Cross-site request forgery
SQL injection
Authentication flaws (website, mobile, or API)
Access control issues that impact member-to-member communications or other data that is not shared with connections
Server-side code execution bugs
Issues with profile visibility (except access control issues mentioned above)
Open redirects involving usage of LinkedIn’s built-in redirectors
Bugs requiring unlikely user interaction or rely on social engineering
Issues that disclose information about our infrastructure such as version numbers or banners
Denial of Service
Clickjacking without demonstrable security impact
General best practices related to CSP policies, lack of specific security headers, etc.
Vulnerabilities affecting users of outdated browsers or platforms
Physical attempts against LinkedIn property or data centers
Accessing content directly from our CDN (Content Delivery Network)
Sending messages or invitations to anyone on LinkedIn
Content injection issues
Password complexity issues for members
Logout cross-site request forgery
Social engineering of LinkedIn employees or contractors
Mobile security issues that require that the attacker has physical access to the device or that the phone is rooted or jailbroken
All researchers over 16 years old who may otherwise legally participate in such programs, who are not rendered ineligible by their employer, and who were not previously excluded from the program are eligible.
The vulnerability must be described in a manner that allows LinkedIn to reproduce the problem. Submissions that contain steps to reproduce your proof of concept along with a detailed analysis or working exploit are eligible for quicker awards because they help us quickly assess the risk posed by a vulnerability.
Researchers must respect our services and our members’ privacy. They must not: (i) degrade, interrupt, or deny service to our users; (ii) modify, delete, or otherwise misuse LinkedIn member data, nor access non-public member information without authorization; (iii) make threats nor demand money/payments in exchange for disclosing vulnerabilities; (iv) publicly disclose vulnerabilities without responsibly disclosing and receiving written approval from LinkedIn first; or (v) otherwise violate LinkedIn’s User Agreement. Any non-public member data inadvertently accessed must be promptly deleted, reported to LinkedIn, and may not be used for any purpose.
For every report, we will endeavor to: (i) acknowledge the vulnerability report within 48 hours of receipt; (ii) provide a time frame for fixing the issue; and (iii) provide notification that the issue has been fixed. Our review time will vary depending on the complexity and completeness of your submission. Note that you may be paid before the issue is fixed, and payment is not notification of fix completion.
If you do not agree to these Terms, do not send us any submissions or otherwise participate in this program.
Protecting our members is critically important to us so we strive to address each report in a timely manner. While we are addressing the report, we require that all submissions remain confidential and are not disclosed to anyone else.
Any information you receive or collect about us, our members, employees, or customers must be kept confidential and only used in connection with the Bug Bounty Program. Researchers must not sell the vulnerability or any of its details to other parties, and must not share, distribute, or discuss the vulnerability or any of its details with any other parties until the vulnerability fix has been released, verified, and confirmed by us.
Any public disclosures should only occur after the vulnerability has been resolved and written approval has been provided by the LinkedIn team through the HackerOne platform. Failure to comply with the Disclosure Policy will result in immediate disqualification from the Bug Bounty Program and ineligibility from receiving any Bounty Payments.
We may choose to award a bounty for impactful vulnerabilities that are disclosed in accordance with these rules.
Our minimum reward is $100. Clever, unusual, or severe vulnerabilities may qualify for higher award amounts. LinkedIn will decide, in its sole discretion, how much to award for any reported vulnerability and whether a reported vulnerability is the same or similar to one previously reported. LinkedIn’s decision is final.
LinkedIn will typically pay for bounties based on the severity (CVSS score) of the issue. Bugs of similar nature reported by the same person may be combined into one item, thus constituting only a single award.
We will publicly recognize contributors to the program who submitted qualified bugs, whether or not a bounty was paid.
LinkedIn reserves the right to change or cancel this program at any time. The decision to pay a reward is entirely at our discretion. This offer is void where prohibited by law, and the participant must not violate any law.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you.
| Scope Type | Scope Name |
|---|---|
| android_application | com.linkedin.android |
| ios_application | 288429040 |
| web_application | www.linkedin.com |
| web_application | api.linkedin.com |
This program crawled on the 2022-05-18 is sorted as bounty.
FireBounty © 2015-2024
