Business social networking service LinkedIn has revealed it has a private bug bounty programme that has been running since last year, with an average reward of $1,000 per bug.
Cory Scott, director for information security at the firm, said in a LinkedIn security blog post that the company wants to extend its existing relationship with the security industry but does not plan at present to have a public reward system.
"Our strong relationship with the security community is crucial to this process and we appreciate the work of individual researchers who contribute their expertise and time to make LinkedIn a safer place for our members," he said.
"In October 2014, we formalised this partnership with the creation of LinkedIn's private bug bounty programme.
"The participants have reported more than 65 actionable bugs and we have successfully implemented fixes for each issue. We've paid out more than $65,000 in bounties."
LinkedIn’s Private Bug Bounty Program:Reducing Vulnerabilities by Leveraging Expert Crowds https://t.co/eULQU5AuWj < -65 bugs 65K in bounties— David Barroso (@lostinsecurity) June 18, 2015
LinkedIn has chosen to keep this community protection under wraps so that it can filter out the time wasters and concentrate on refining relations with preferred partners. Keeping things private is the most cost-effective option, according to Scott.
"While the vast majority of reports submitted to our notification email address were not actionable or meaningful, a smaller group of researchers emerged who always provided excellent write-ups, were a pleasure to work with and genuinely expressed concerned about reducing risk introduced by vulnerabilities," he said.
"We created this private bug bounty programme with them in mind. We appreciated working with people dedicated to coordinated disclosure practices and wanted to engage them in a deeper and mutually rewarding relationship.
"Our security team works directly with each participant to handle every bug submission from beginning to end."
LinkedIn has stripped away some public reporting, but Scott said that the company continues to receive decent information through the [email protected] account and that the firm encourages people to keep sending them in.
The private network is apparently preferred. "LinkedIn's private bug bounty programme currently has a signal-to-noise ratio of 7:3, which significantly exceeds the public ratios of popular public bug bounty programmes," added Scott.
The decision follows moves by Google to extend its bounty programme for Android.
Pixel 2 smartphones and a Pixel-branded laptop also planned by Google
The moment you've all been waiting for...
Are you on the list?
Update will limit background activities of apps to improve battery life (hello, Skype!)