Current Version: 1.0

Responsible Disclosure Policy

Linode is committed to the security of our infrastructure and our customers’ data. Our infrastructure posture has been designed to give our customers the foundation to build secure systems and applications to meet our customers’ needs.

Linode is dedicated to responding to any reports of security issues affecting our services. Linode has partnered with HackerOne to operate a private bug bounty and disclosure program. We happily pay security researchers who submit their report through our HackerOne program. In addition, we also accept reports sent to us via email. More on this in the Rewards section of this page.

However, If you are not a part of our existing bug bounty program, and you have found a vulnerability within Linode's environment, please email us at [email protected]. Please feel free to use our PGP key to encrypt your findings before emailing them. Linode seeks to ensure the security and confidentiality of our infrastructure and customer data. Our team strives to quickly remediate all vulnerabilities. Some reports may require up to 90 days to be remediated after the report is acknowledged, depending on the complexity of the underlying issue. We request that you follow coordinated disclosure guidelines until we confirm that the issue is fixed, tested and deployed.

Please do not discuss any vulnerabilities outside of the program without express consent from Linode. We understand you may want to blog about your findings, but please get our permission and allow us to remediate the issue first.

Reporting Guidelines:

Please review our program guidelines before submitting your report to [email protected]. When submitting your report, please include a detailed description of the vulnerability, clear step-by-step reproduction instructions, the security impact it has on Linode’s platform and classification of the issue. You may submit a video POC as well. Our team will review your report and reply within 2 working days. If we require more information, we will contact you directly.

Distinguishing Linode infrastructure from our customer assets:

Many security researchers submit findings to us for assets they believe belong to Linode, because it was accessible on a subdomain of Linode.com or is simply hosted on one of our IP addresses. However, services that are owned and maintained by our customers also may use our IP addresses and subdomains.

The following subdomains are used for customer services and are considered out of scope for our disclosure program:

Any services deployed by our customers using these products are out of scope. The vast majority of services on these domains will be our customer assets. However, Linode uses its own products and services for infrastructure as well, so some of our in scope assets may also be addressable via these subdomains.

Assets In Scope:

Assets Out of Scope:

Any Linode/instances that belong to our customers and isn’t mentioned above is generally considered out of scope. If you find an issue on an instance owned by our customer who is responsible for configuring and patching, we recommend contacting the customer that owns the instance (if known) and explaining the issue, or you can submit the report via our abuse report portal so our Support Team can notify our customer.

Common high severity vulnerabilities:

The following types of vulnerabilities are typically eligible for a bounty at the upper end of our reward scale:

• Remote code execution (RCE) on Linode backend services
• Privilege escalation
• Hypervisor access
• SQL injection
• Authentication bypass
• Cross account access
• Stored cross-site scripting (XSS) that can affect other users

Out of Scope Vulnerabilities:

The following issues are considered out of scope:

• Any Linode systems not listed in scope above
• Vulnerabilities reported by automated tools without analysis or qualification. Reports from automated web vulnerability scanners are acceptable only if they are validated
• Vulnerabilities found in systems owned by our customers
• Common weaknesses, insecure design principles or security best practices that are not explicit vulnerabilities
• Clickjacking on pages with no sensitive actions
• Unauthenticated logout CSRF
• Self-XSS
• Previously known vulnerable libraries without a working proof of concept
• Missing best practices in SSL/TLS/HSTS configuration
• Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS
• Error pages, broken links, typographic errors or missing graphics
• CSV or formula injection attacks

Vulnerabilities that have already been submitted by another hacker, that we are already aware of, or currently working towards a fix or that have been classified as ineligible can be marked duplicate or N/A.

Out of scope methods:

• Any activity that could lead to the disruption of our service (DoS)
• Physical attacks against Linode employees, offices, and data centers
• Social engineering of Linode employees, contractors, vendors, or service providers through phishing, vishing, smishing, etc.
• Attacks requiring MITM or physical access to a user's device
• Vulnerabilities that send unsolicited bulk messages (spam)
• Social engineering attacks
• Knowingly posting, transmitting, uploading, linking to, or sending malware to Linode or its employees, contractors, vendors or service providers
• “Brute force” testing, including testing one common password against a sequence of usernames

Rewards:

Our rewards are disbursed only through our HackerOne program for reports with a valid proof of concept following the guidelines mentioned in this page, at our sole discretion. If you submit a valid report to us through [email protected] we will invite you to our private HackerOne program. We generally do not accept requests to join our Hackerone private program unless you have a valid report submitted through [email protected]. Exceptions will be made at the discretion of our Security team.

Happy Hunting! We look forward to reading your reports.