Current Version: 1.1

Responsible Disclosure Policy

Linode is committed to the security of our infrastructure and our customers’ data. Our infrastructure posture has been designed to give our customers the foundation to build secure systems and applications to meet our customers’ needs.

Linode is dedicated to responding to any reports of security issues affecting our services. Linode has partnered with HackerOne to operate a private bug bounty and disclosure program. We happily pay security researchers who submit their report through our HackerOne program. If you are not part of the program, please use the Contact Security Team button here.

Linode seeks to ensure the security and confidentiality of our infrastructure and customer data. Our team strives to quickly remediate all vulnerabilities. Some reports may require up to 120 days to be remediated after the report is acknowledged, depending on the complexity of the underlying issue. We request that you follow coordinated disclosure guidelines until we confirm that the issue is fixed, tested and deployed. Please do not discuss any vulnerabilities outside of the program without express consent from Linode. We understand you may want to blog about your findings, but please get our permission and allow us to remediate the issue first.

Reporting Guidelines:

When submitting your report, please include a detailed description of the vulnerability, clear step-by-step reproduction instructions, and a concise analysis of the security impact. You may submit a proof-of-concept video as well.

Distinguishing Linode infrastructure from our customer assets:

Many security researchers submit findings to us for assets they believe belong to Linode, because it was accessible on a subdomain of linode.com or because it is hosted on one of our IP addresses. However, services that are owned and maintained by our customers also may use our IP addresses and subdomains. Only assets that are owned and controlled by Linode are in scope for this program.

The following subdomains are used for customer services and are considered out of scope:

Any services deployed by our customers using these products are out of scope. The vast majority of services on these domains will be our customer assets. However, Linode uses its own products and services for infrastructure as well, so some of our in-scope assets may also be addressable via these subdomains.

Assets Out of Scope:

Any Linode/instances that belong to our customers and aren't mentioned above are generally considered out of scope. If you find an issue on an instance owned by our customer who is responsible for configuring and patching, we recommend contacting the customer that owns the instance (if known) and explaining the issue, or you can submit the report via our abuse report portal so our Support Team can notify our customer.

Assets In Scope:

Common high severity vulnerabilities:

The following types of vulnerabilities are generally eligible for a bounty at the upper end of our reward scale:

• Remote code execution (RCE) on Linode backend services
• Privilege escalation
• Hypervisor access/virtual machine escape
• SQL injection
• Authentication bypass
• Cross account access
• Stored cross-site scripting (XSS) that can affect other users

The following issues are considered out of scope:

• Vulnerabilities reported by automated tools without analysis or qualification. Reports from automated web vulnerability scanners are acceptable only if you demonstrate the vulnerability is reproducible and has a security impact.
• Customer Linodes or vulnerabilities found in customer operated systems.
• Common weaknesses, insecure design principles or security best practices that are not explicit vulnerabilities
• Clickjacking on pages with no sensitive actions
• Unauthenticated/logout/login CSRF.
• Self-XSS
• Previously known vulnerable libraries without a working proof of concept
• Missing best practices in SSL/TLS/HSTS configuration
• Content spoofing and text injection issues, unless there is a demonstrated attack vector (e.g. modification of HTML/CSS)
• Error pages, broken links, typographic errors or missing graphics
• CSV or formula injection attacks

Vulnerabilities that have already been submitted by another hacker, that we are already aware of, or currently working towards a fix or that have been classified as ineligible can be marked duplicate or N/A.

Out of scope methods:

• Any activity that could lead to the disruption of our service, including but not limited to denial-of-service (DoS) attacks. If you identify a vulnerability that could lead to a service disruption, please report it without exploiting it.
• Physical attacks against Linode employees, offices, and data centers
• Social engineering of Linode employees, contractors, vendors, or service providers
• Attacks that require intercepting communication (e.g. MITM attacks) or physical access to a user's device
• Vulnerabilities that send unsolicited bulk messages (spam)
• Knowingly posting, transmitting, uploading, linking to, or sending malware to Linode or its employees, contractors, vendors or service providers
• “Brute force” testing, including testing one common password against a sequence of usernames

Rewards:

Rewards are paid only through our HackerOne program for reports with a valid proof of concept following the guidelines mentioned in this page, at our sole discretion. We generally do not accept  requests to join our HackerOne private program unless you have a valid report submitted through the “Contact Security Team” button at https://hackerone.com/linode. Exceptions will be made at the discretion of our Security team. 

We look forward to reading your reports. Happy hunting!