Current Version: 2.1

Responsible Disclosure Policy

Linode is committed to the security of its infrastructure and customer's data. Linode security posture has been designed to give customers the foundation to build secure systems and applications. At Linode, we take security very seriously to guarantee the security and confidentiality of both our infrastructure and customer data. Our team strives to quickly remediate vulnerabilities. We request that you follow coordinated disclosure guidelines until we confirm that the issue is fixed, tested and deployed. Please do not discuss any vulnerability outside of the program without Linode Security Team consent. We understand you may want to blog about your findings, but please get our permission and allow us to remediate the issue first.

Reporting Guidelines:

When submitting your report, please include a detailed description of the vulnerability, clear step-by-step reproduction instructions, and a concise analysis of the security impact. We encourage submitting a proof-of-concept video as well.

• Linode: Linode is dedicated to responding to any reports of security issues affecting our services. Linode has partnered with HackerOne to operate a private bug bounty and disclosure program. We happily pay security researchers who submit their report through our HackerOne program. If you are not part of the program, please use the Contact Security Team button here.
• Linode Abuse: If you suspect that Linode resources are being used for suspicious activity, you can report it to the Linode Abuse Team via the our abuse report portal, or by contacting abuse@linode.com.

SLA Evaluation

Linode is dedicated to providing response and transparent communication throughout the process of investigating and addressing security concerns. Upon reaching out to us, you can expect a personalized response within 48 hours, acknowledging the receipt of your reported vulnerability. Additionally, we will keep you informed of the progress regularly, with updates provided by Linode at least every five US working days. Some reports may require up to 60 days to be remediated after the report is acknowledged, depending on the complexity of the underlying issue. Our commitment is to ensure that you are promptly attended to and well-informed throughout the resolution process.

Scope

The following activities are out of scope for our Responsible Disclosure Program. Conducting any of the activities below will result in violation of this policy.

• Any activity that could lead to the disruption of our service, including but not limited to denial-of-service (DoS) attacks. If you identify a vulnerability that could lead to a service disruption, please report it without exploiting it.
• Physical attacks against Linode employees, offices, and data centers
• Social engineering of Linode employees, contractors, vendors, or service providers
• Attacks that require intercepting communication (e.g. MITM attacks) or physical access to a user's device
• Vulnerabilities that send unsolicited bulk messages (spam)
• Knowingly posting, transmitting, uploading, linking to, or sending malware to Linode or its employees, contractors, vendors or service providers
• “Brute force” testing, including testing one common password against a sequence of usernames

Many security researchers submit findings to us for assets they believe belong to Linode, because it was accessible on a subdomain of linode.com or because it is hosted on one of our IP addresses. Only assets that are owned and controlled by Linode are in scope for this program.

The following subdomains are used for customer services and are considered out of scope.

Any services deployed by our customers using these products are out of scope. The vast majority of services on these domains will be our customer assets. If you find an issue on an instance owned by our customer who is responsible for configuring and patching, we recommend contacting the customer that owns the instance (if known) and explaining the issue, or you can submit the report via our abuse report portal so our Abuse Team can notify our customer.

Public Disclosure

To ensure the utmost protection for our valued customers, we kindly request that you refrain from publicly disclosing any information regarding potential vulnerabilities until we have thoroughly investigated, responded to, and resolved the reported issue. If necessary, we will promptly notify affected customers once the matter has been addressed. Additionally, we respectfully ask that you refrain from posting or sharing any data that belongs to our customers.

Please understand that addressing a valid reported vulnerability requires time, as the timeline may vary depending on the severity of the vulnerability and the impacted systems. Rest assured, we are committed to resolving these matters diligently and efficiently.

Rewards

Rewards are paid only through our HackerOne program for reports with a valid proof of concept following the guidelines mentioned in this page, at our sole discretion. We generally do not accept requests to join our HackerOne private program unless you have a valid report submitted through the “Contact Security Team” button at https://hackerone.com/linode. Exceptions will be made at the discretion of our Security team.

We look forward to reading your reports. Happy hunting!