Last Updated: 6 December 2021
Effective Date: 15 September 2020
Linode is committed to the security of our infrastructure and our customers’ data. Our infrastructure posture has been designed to give our customers the foundation to build secure systems and applications to meet our customers’ needs.
Linode is dedicated to responding to any reports of security issues affecting our services. Linode has partnered with HackerOne to operate a private bug bounty and disclosure program. We happily pay security researchers who submit their report through our HackerOne program. If you are not part of the program, please use the Contact Security Team button here.
Linode seeks to ensure the security and confidentiality of our infrastructure and customer data. Our team strives to quickly remediate all vulnerabilities. Some reports may require up to 120 days to be remediated after the report is acknowledged, depending on the complexity of the underlying issue. We request that you follow coordinated disclosure guidelines until we confirm that the issue is fixed, tested and deployed. Please do not discuss any vulnerabilities outside of the program without express consent from Linode. We understand you may want to blog about your findings, but please get our permission and allow us to remediate the issue first.
Reporting Guidelines:
When submitting your report, please include a detailed description of the vulnerability, clear step-by-step reproduction instructions, and a concise analysis of the security impact. You may submit a proof-of-concept video as well.
Distinguishing Linode infrastructure from our customer assets:
Many security researchers submit findings to us for assets they believe belong to Linode, because it was accessible on a subdomain of linode.com or because it is hosted on one of our IP addresses. However, services that are owned and maintained by our customers also may use our IP addresses and subdomains. Only assets that are owned and controlled by Linode are in scope for this program.
The following subdomains are used for customer services and are considered out of scope:
Linode instances and NodeBalancers | Used for customer-hosted content on a Linode instance or NodeBalancer (managed load balancer service). |
*. linodeusercontent.com | Reports for this domain will not be accepted unless you can demonstrate that the vulnerability is caused by a weakness in a specific product, service, or system owned by Linode. |
Linode Object Storage *.linodeobjects.com | Used for Linode Object Storage, an S3-compatible object storage system. The service itself is in-scope for our program, however, customer data and services hosted within Linode Object Storage (and accessible via *.linodeobjects.com) are out-of-scope.
Reports for this domain will not be accepted unless you can demonstrate that the vulnerability is caused by a weakness in a specific product, service, or system owned by Linode. |
NodeBalancers *.nodebalancer.linode.com | Used for Linode’s managed load balancer service. The service itself is in-scope for our program, however, customer services hosted behind a NodeBalancer (and accessible via *.nodebalancer.linode.com) are out-of-scope.
Reports for this domain will not be accepted unless you can demonstrate that the vulnerability is caused by a weakness in a specific product, service, or system owned by Linode. |
Linode instances *.members.linode.com | Used for Linode instances.
Reports for this domain will not be accepted unless you can demonstrate that the vulnerability is caused by a weakness in a specific product, service, or system owned by Linode. |
Any services deployed by our customers using these products are out of scope. The vast majority of services on these domains will be our customer assets. However, Linode uses its own products and services for infrastructure as well, so some of our in-scope assets may also be addressable via these subdomains.
Assets Out of Scope:
Any Linode/instances that belong to our customers and aren't mentioned above are generally considered out of scope. If you find an issue on an instance owned by our customer who is responsible for configuring and patching, we recommend contacting the customer that owns the instance (if known) and explaining the issue, or you can submit the report via our abuse report portal so our Support Team can notify our customer.
Assets In Scope:
Our Website | https://www.linode.com |
Our APIs | https://api.linode.com/v4 |
Our Cloud Manager | https://cloud.linode.com |
Linode Shell | https://lish-*.linode.com |
Our Login portal | https://login.linode.com |
Our Developer tools | https://developers.linode.com |
Community Q&A | https://www.linode.com/community/questions
While we accept reports related to our community site, we forbid testing issues that may result in a large number of test posts |
Any of our core products | Such as Linode Kubernetes Engine, Block Storage, Object Storage, NodeBalancers, and more. |
Common high severity vulnerabilities:
The following types of vulnerabilities are generally eligible for a bounty at the upper end of our reward scale:
The following issues are considered out of scope:
Vulnerabilities that have already been submitted by another hacker, that we are already aware of, or currently working towards a fix or that have been classified as ineligible can be marked duplicate or N/A.
Out of scope methods:
Rewards:
Rewards are paid only through our HackerOne program for reports with a valid proof of concept following the guidelines mentioned in this page, at our sole discretion. We generally do not accept requests to join our HackerOne private program unless you have a valid report submitted through the “Contact Security Team” button at https://www.hackerone.com/linode. Exceptions will be made at the discretion of our Security team.
We look forward to reading your reports. Happy hunting!