Murtaza Amin runs Howtoweb, and is a very heavy LinkedIn user. When he discovered a bug that lets user get LinkedIn Premium for free, he tweeted about it and had lot of black hat guys responding. However, he did not disclose the information to any of them and informed LinkedIn team. Not being taken seriously, he finally sent an email to Jeff Weiner, CEO LinkedIn. The top management responded to his discovery of the bug and promised him to give a recognition letter for his efforts.
After giving a thought on the entire episode, we feel LinkedIn could have been responsive the moment they receive news about this bug. Read on what Murtaza has to say on finding the bug and LinkedIn’s response to the same. Below is a reblog from his thoughts at his company blog.
Hello folks, I’m Murtaza Amin, an excessive and regular LinkedIn user, it’s been quite long since I’m using it, and recently found a potential bug that allowed any user to get LinkedIn Premium for free, lifetime.
I experimented it several times before contacting LinkedIn.
At first, they didn’t took my words seriously, but, when I sent an InMail to the CEO of LinkedIn notifying the issue, I got a call from LinkedIn (USA), I spoke to a couple of senior executives there, including the CTO and Chief of LinkedIn Data security.
Their only statement was, “Please, share the details with us, we don’t have a bounty program as of now, but we might do something for you in favor of your work, but we shall provide you a letter of recognition for sure”
When it comes to me, I expect some decent reward or internship at LinkedIn’s data security (I hope I don’t have to go through a exam for this anymore ) but, on a serious note, I deserve something for pointing this out.
After hours of negotiation and after exchanging couple of Emails and hours of negotiation over call, what do I land up with?
No replies, after serving them with the secret recipe. Was my work worth this neglect?
I could have easily made more money if I had leaked this secret to some Russian or Turkish black hat hacker, Don’t you think they should take security issues seriously? And especially, after that security exploit which allowed a hacker to access 6.5 Million Passwords from the LinkedIn’s database. Proof about the exploit on Wikipedia.
If an Indian Engineer can get 12500 US D to reveal a bug that let anyone delete any photo from Facebook, I deserve something for my work! Proof of FB bounty.
This bug can seriously harm LinkedIn’s revenue, who knows some black hat hackers might already be using this for their advantage or maybe selling Premium accounts at discounted rates, Instead of selling the trick to any black hat hackers and using it for me and my team, I thought of sharing it with LinkedIn, as of now, I have received at least 50 mails and hundreds of Twitter mention in these three days after I tweeted that I have a hack to get LinkedIn Premium for free. Most of them were offering me premium memberships to their black hat groups/cash rewards etc. but, I (Don’t know what the hell was going on in my mind that time ) chose to only share it with LinkedIn.
After reading the above, don’t you think my work should be recognized? I could have done similar deeds, but I opted something that works for LinkedIn as well.
If you support me, Please share this post or comment to let LinkedIn know that it is a well deserved internship/bounty.
Thanks for your support in advance. – Murtaza Amin