In keeping the program private, Cory Scott, LinkedIn’s director of information security wrote in a blog post that the invitation-only program “gives our strong internal application security team the ability to focus on securing the next generation of LinkedIn’s products while interacting with a small, qualified community of external researchers.”

Scott noted that:

65 actionable bugs were reported by the participants in LinkedIn’s private bug bounty program.

Successful fixes have been implemented for each of those bugs.

LinkedIn has already paid out $65,000 in bounties ever since the program launched.

LinkedIn uses HackerOne, a vulnerability management company and bug bounty platform provider to provide security vulnerablility information.

Scott is due to give a presentation at BlackHat 2015 and wrote “While the vast majority of reports submitted … were not actionable or meaningful, a smaller group of researchers emerged who always provided excellent write-ups, were a pleasure to work with and genuinely expressed concerned about reducing risk introduced by vulnerabilities.”

Joining the ranks of other tech giants

Major companies including Google, Yahoo and Facebook have bounty bug programs that have long been established. Google has even recently extended its bounty bug program from their Chrome browser to their Android mobile platform.

LinkedIn’s program is based on a private, invitation-only model which assesses the reputation of the researcher and the previous recognized work. The website also evaluates a ‘signal-to-noise ratio’ which counts compares the ratio of valid, actionable reports to those which are incorrect, incomplete or entirely irrelevant.

Significantly, LinkedIn’s invitation-only bug bounty program has a signal-to-noise ratio of 7:3, significantly better than the ratios achieved by public bug bounty programs, according to Scott.

“Based on our experience handling external bug reports and our observations of the public bug bounty ecosystem we believe the cost-to-value of these programs no longer fit the aspirational goals they originally had,” Scott said.

Additionally, the security team at LinkedIn works directly with every participant in the program to handle all bug submissions. LinkedIn ships new code multiple times a day with the security team working to uncover vulnerabilities prior to the launch through a thorough pre-release testing and design review.

Although the program remains ‘private’, at-least nominally, security researchers can still submit vulnerabilities to LinkedIn by contacting the company through security@linkedin.com. All legitimate inquiries will be responded to, according to LinkedIn with the networking website encouraging anyone to report bugs.