1. Purpose of Program
The purpose of the Program is to quickly discover any vulnerabilities that exist in the LINE messenger app or the WEB sites, and provide LINE users (“Users”) the most secure service possible.2. Program Dates
Report Submission Dates: 3pm, on June 2, 2016 (GMT+9) ~3. Program flow
Results will be made public successively after the conclusion of internal review.4. Eligibility
1.the latest version of the LINE messenger app5. Conditions for Participation
6. Rewards
Category | Examples | Reference amount / Highly sensitive applications | Reference amount / Other applications |
---|---|---|---|
Remote Code Execution | Ability to send packets containing arbitrary system call to the client or server side | $30,000 | $10,000 - $30,000 |
Full access to file system or database | SSRF,SQL Injection | $10,000 - $30,000 | $3,000 - $10,000 |
Account takeover | Authentication Bypass | $5,000 - $10,000 | $5,000 - $10,000 |
Logic flaw bugs, information leaks, or bypassing significant security controls | IDOR, impersonation, sensitive actions by user, Purchase Bypass | $5,000 - $15,000 | $1,000 - $5,000 |
Execute code on the client | Cross-site scripting | $1,500 - $5,000 | $500 - $1,500 |
Other valid security vulnerabilities | CSRF, Clickjacking, information leakage | $500 - $10,000 | $500 - $10,000 |
Notes: Vulnerabilities applicable only to some environments or some users may be subject to change reward amount.
7. Vulnerabilities not eligible for rewards
Examples of vulnerabilities not eligible for cash rewards are listed below. However, LINE may deem additional cases eligible for the cash reward at its own discretion.8. Donation of rewards
Users now have the option of donating their reward to organizations such as OSS and internet communities that have been specified by LINE. If users choose to donate their reward, LINE will match the value when making the donation. For more information, please see [Article 7 of the Terms of Use].9. Program Details
For more details on the program, please click here.Please use the Bug Report Form to report any bugs you find.
The Bug Report Form page will be available from 15 pm, June 2, 2016 (GMT+9).
We have created a list of things that will not be recognized as bugs. Please make sure that you understand
the items listed on the Details Page
(Vulnerabilities not Eligible for Cash Reward) before submitting your report.
1. Notes Regarding Reporting and Reviews
Vulnerability reviews are conducted according to standards established by LINE Corporation. If the vulnerability is recognized, the submitter will be contacted by e-mail.2. Other Inquiries
See Article 18 of the Details Page.3. Reporting bugs not related to the LINE Security Bug Bounty Program
If you are unable to use the report form, or you would like to report a bug unrelated to this program, please contact us at dl_bugreport@linecorp.com