Vulnerabilities Excluded From Scope
Vulnerabilities that we judge as likely to fall under any of the
categories below are considered out of scope for this program.
• Vulnerability as-is after detection using an automated
scanner
• Hypothetical or theoretical vulnerabilities without
actual verification code
• Susceptibility to brute force attacks aimed at
retrieving passwords or tokens
• Request flooding DoS and/or any Server Side DoS attack
that may lead to disruption of our service(s)
• Cache-Poisoned Denial-of-Service
• Ability to spam LINE users arbitrarily with spam
messages
• Ability to change a password without confirmation of
the previous password on LINE app
• Session fixation
• Absence of Cross-Site Request Forgery (“CSRF”) token
in non-critical processes
• Login/logout CSRF
• Attack requiring physical access to a user's device or
using a rooted device
• Missing security header(s)
• Script executions that do not affect Users
• Vulnerabilities attributable to out-of-date browsers
or platforms
• Content related to auto fill web forms
• Absence of secure flag attribute for non-critical
cookies
• Unsafe SSL/TLS cipher suites or protocol version
• Accessibility of profile photos, VOOM photos, etc. by
anyone via URL
• Vulnerability attributable to virtual phone number
• Software version disclosure / Banner identification
issues / Descriptive error messages or headers (e.g. stack
traces, application or server errors).
• Missing email best practices (Invalid, incomplete or
missing SPF/DKIM/DMARC records, etc.)
• Reporting that an unauthorized HTTP method can be used
• Reporting vulnerabilities related to clickjacking,
Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA
record, DNSSEC records
• Credit card or payment platform reimbursement features
• Overwriting of files or databases on device, or
falsely showing possession of an item by altering a file along
the communication pathway.
• Vulnerabilities only affecting a single browser or a
single version only
• Username/e-mail enumeration only
• Exposure or lack of security controls on Google Maps
API keys
• Exposure of API keys with no security impact
• Subdomain takeover reports with CNAME records
regarding the livedoor.jp domain without proof of concept
• Broken link hijacking (social media account etc)
• Status monitoring page with no disclosure of sensitive
data (eg: apache server status and internal metrics)
• HTTP Request Smuggling (HRS) and related
desynchronization attacks
Prohibited Activities
The following activities are prohibited.
• Port scanning. Please conduct vulnerability testing
only on ports 80 and 443.
• Using automated vulnerability scanners to attack our
systems
• Performing DoS attacks or any actions that place
excessive load on our services
• Physically attacking our assets or data centers
• Conducting social engineering (phishing, vishing,
smishing, etc.)
• Sending a vulnerability report that includes a third
party’s personal data without obtaining their prior consent
• Any activity that harms our customers, employees,
partners, or the provision of our services
• Carrying out or promoting fraudulent transactions
(such as unauthorized billing or product shipment
manipulation)
• Extracting, modifying, destroying, or disclosing to
third parties any information about our customers, partners,
or employees, or any trade secrets of us or our partners,
beyond what is necessary for vulnerability reporting
• If we determine that your actions violate or may
violate our Terms of Use or these guidelines, or are otherwise
inappropriate, we may take necessary measures such as blocking
communication or suspending accounts.
Notes
• Reporters must not disclose or leak to third parties
any information related to vulnerabilities, or information
obtained by exploiting vulnerabilities, without our prior
written consent.
• If a reporter obtains personal data of our customers,
partners, or employees, or trade secrets of us or our partners
in connection with a vulnerability report, the reporter must
promptly delete such information (including logs, etc.) from
all systems and devices they use.
• Please do not include personal data of yourself or any
third party in your vulnerability report.
• Handling of submitted information
• To take necessary measures based on your vulnerability
report, we may share the content of the report with third
parties such as system providers.
• We pay maximum attention to security in order to
safely manage the information collected from reporters.
Legal Matters (Safe Harbor)
Activities conducted in accordance with these guidelines are
regarded as authorized by us, unless their purpose or manner
is improper, and we will not take legal action against
reporters for such activities. If a third party takes legal
action against a reporter in connection with activities
performed under these guidelines, we will take steps, as
appropriate, to clarify that the reporter’s actions were
carried out in accordance with these guidelines and consider
other necessary measures.