1. Purpose of ProgramThe purpose of the Program is to quickly discover any vulnerabilities that exist in the LINE messenger app or the WEB sites, and provide LINE users (“Users”) the most secure service possible.
2. Program DatesReport Submission Dates: 3pm, on June 2, 2016 (GMT+9) ~
3. Program flowResults will be made public successively after the conclusion of internal review.
4. Eligibility1.the latest version of the LINE messenger app
5. Conditions for Participation
|SQL Injection||Ability to access private information through an SQL injection attack||USD 3,000|
|Cross-Site Scripting (XSS)||Ability to hijack a session or execute scripts through an XSS attack||USD 500~|
|Cross-Site Request Forgery (CSRF)||Ability to force a LINE user to perform an undesired process through a CSRF attack||USD 500|
|Remote Code Execution||Ability to send packets containing arbitrary code to the client or server side||USD 10,000|
|Authentication Bypass||Ability to masquerade as another person by bypassing authentication procedures||USD 5,000|
|Purchase Bypass||Ability to obtain items while bypassing in-app payment procedures||USD 5,000|
|Encryption Break||Ability to obtain another person’s authentication information by cracking encrypted data||USD 10,000|
|Improper Certificate Validation||Ability to obtain sensitive information by failing to validate SSL certificate.||USD 10,000|
|Server-Side Request Forgery (SSRF)||Ability to abuse functionality on the server to read or update internal resources.||USD 2,500|
|Client-Side Enforcement of Server-Side Security||Ability to bypass protection mechanism by relying on the client side protection only.||USD 500|
|Improper Access Control||Ability to access originally non-public pages because of access control failure.||USD 500~|
|Password in Configuration File||Ability to obtain a password or sensitive information in a configuration file.||USD 500|
|Insecure Direct Object Reference (IDOR)||Ability to bypass authorization and access resources directly by modifying the value of a parameter.||USD 5,000|
|Information Exposure Through Debug Information||Ability to obtain sensitive information through debugging information.||USD 500|
|Privilege Escalation||Ability to obtain elevated access to resources that are normally protected from an application or user.||USD 3,000|
|Cleartext Transmission of Sensitive Information||Ability to eavesdrop sensitive information in the network traffic.||USD 500~|
|Path Traversal||Ability to access arbitrary files and directories by manipulating variables||USD 500~|
|Other||Other vulnerabilities||USD 500|
7. Vulnerabilities not eligible for rewardsExamples of vulnerabilities not eligible for cash rewards are listed below. However, LINE may deem additional cases eligible for the cash reward at its own discretion.
9. Program DetailsFor more details on the program, please click here.
Please use the Bug Report Form to report any bugs you find.
The Bug Report Form page will be available from 15 pm, June 2, 2016 (GMT+9).
We have created a list of things that will not be recognized as bugs. Please make sure that you understand the items listed on the Details Page (Vulnerabilities not Eligible for Cash Reward) before submitting your report.
1. Notes Regarding Reporting and ReviewsVulnerability reviews are conducted according to standards established by LINE Corporation. If the vulnerability is recognized, the submitter will be contacted by e-mail.
2. Other InquiriesSee Article 18 of the Details Page.
3. Reporting bugs not related to the LINE Security Bug Bounty ProgramIf you are unable to use the report form, or you would like to report a bug unrelated to this program, please contact us at firstname.lastname@example.org