1. Purpose of ProgramThe purpose of the Program is to quickly discover any vulnerabilities that exist in the LINE messenger app or the WEB sites, and provide LINE users (“Users”) the most secure service possible.
2. Program DatesReport Submission Dates: 3pm, on June 2, 2016 (GMT+9) ~
3. Program flowResults will be made public successively after the conclusion of internal review.
4. Eligibility1.the latest version of the LINE messenger app
5. Conditions for Participation
|Category||Examples||Reference amount / Highly sensitive applications||Reference amount / Other applications|
|Remote Code Execution||Ability to send packets containing arbitrary system call to the client or server side||$30,000||$10,000 - $30,000|
|Full access to file system or database||SSRF,SQL Injection||$10,000 - $30,000||$3,000 - $10,000|
|Account takeover||Authentication Bypass||$5,000 - $10,000||$5,000 - $10,000|
|Logic flaw bugs, information leaks, or bypassing significant security controls||IDOR, impersonation, sensitive actions by user, Purchase Bypass||$5,000 - $15,000||$1,000 - $5,000|
|Execute code on the client||Cross-site scripting||$1,500 - $5,000||$500 - $1,500|
|Other valid security vulnerabilities||CSRF, Clickjacking, information leakage||$500 - $10,000||$500 - $10,000|
Notes: Vulnerabilities applicable only to some environments or some users may be subject to change reward amount.
7. Vulnerabilities not eligible for rewardsExamples of vulnerabilities not eligible for cash rewards are listed below. However, LINE may deem additional cases eligible for the cash reward at its own discretion.
9. Program DetailsFor more details on the program, please click here.
Please use the Bug Report Form to report any bugs you find.
The Bug Report Form page will be available from 15 pm, June 2, 2016 (GMT+9).
We have created a list of things that will not be recognized as bugs. Please make sure that you understand the items listed on the Details Page (Vulnerabilities not Eligible for Cash Reward) before submitting your report.
1. Notes Regarding Reporting and ReviewsVulnerability reviews are conducted according to standards established by LINE Corporation. If the vulnerability is recognized, the submitter will be contacted by e-mail.
2. Other InquiriesSee Article 18 of the Details Page.
3. Reporting bugs not related to the LINE Security Bug Bounty ProgramIf you are unable to use the report form, or you would like to report a bug unrelated to this program, please contact us at firstname.lastname@example.org