LinkedIn's Security Program
LinkedIn maintains an Information Security Program to ensure the confidentiality, integrity, and availability of all computer and data communication systems while meeting the necessary legislative, industry, and contractual requirements.
LinkedIn policies, procedures, and standards are based on the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001. In addition, we use an independent third-party body to audit our compliance with leading industry standards periodically.
Trust Center Updates
Atlassian Confluence in the news
In June 2022, Atlassian was made aware of current active exploitation of a remote code execution (RCE) vulnerability in Confluence Data Center and Server. Due to this Zero-Day Exploitation security vulnerability, LinkedIn has taken measures to mitigate while Atlassian works on releasing a fix. Please also note that Atlassian has provided remediation steps until the software patch is available. Per Confluence’s Security Advisory page, they expect that security fixes for supported versions of Confluence will begin to be available for download within 24 hours (estimated time, by EOD June 3 PDT). We will provide additional updates as we receive.
How is LinkedIn responding to Spring4Shell?
In late March 2022, a new remote code execution (RCE) vulnerability also known as Spring4Shell was discovered. Our security team responded quickly to determine impact and applicability.
Are LinkedIn services impacted?
LinkedIn’s services are not affected by this vulnerability. Nevertheless we will watch for further developments and actively monitor the situation.
Okta in the news
In March 2022, a threat actor known as LAPSUS$ claimed to have compromised Okta, a company LinkedIn and many of our peers use for authentication of third-party apps internally.
How is LinkedIn responding to this news?
We take the security and safety of our company and our platform seriously. We have not identified any impact to LinkedIn. We will continue to actively monitor our systems and take the necessary actions in order to keep our community safe.
Regarding the Log4j Java library remote code execution (RCE) vulnerability (CVE-2021-44228), also known as Log4Shell
How is LinkedIn responding to the Log4j zero-day vulnerability? The LinkedIn Security team has evaluated our exposure to the Log4j Java library remote code execution (RCE) vulnerability (CVE-2021-44228), also known as Log4Shell. Log4j is a Java-based logging utility found in a wide number of software products described here. The vulnerability was disclosed by the Apache Log4j project on Thursday, December 9, 2021. On Thursday evening LinkedIn immediately began deploying recommended mitigations and began to roll out permanent remediations.
Are LinkedIn's services impacted? LinkedIn products do make use of Java and Log4j. On Thursday, December 9, 2021, we immediately deployed recommended mitigations and began to roll out permanent remediations. As of December 15, 2021, remediation in our production environments was complete. There has been no member or customer impact.