LINE

Hall of fame

Summary

  • 193,500
    USD
    TOTAL
    BOUNTIES PAID
  • 103
    ISSUES
    REWARDED
    VULNERABILITIES
  • 17
    COUNTRIES
    REWARDED
    NATIONALITIES
  • 271
    HACKERS
    SUBMITTED
    REPORTS

LINE Security Bug Bounty Program

  1. 1. Purpose of Program

    The purpose of the Program is to quickly discover any vulnerabilities that exist in the LINE messenger app or the WEB sites, and provide LINE users (“Users”) the most secure service possible.
  2. 2. Program Dates

    Report Submission Dates: 3pm, on June 2, 2016 (GMT+9) ~
    See “Reporting & Review” below regarding reporting methods.
  3. 3. Program flow

    Results will be made public successively after the conclusion of internal review.
    • Program Introduction
    • Vulnerablilities Report Submission
    • Internal Review
    • Announcement of the Results
  4. 4. Eligibility

    1.the latest version of the LINE messenger app
    • LINE for iOS (latest version in the time of reporting)
    • LINE for Android (latest version in the time of reporting)
    • LINE for Chrome (latest version in the time of reporting)
    • LINE for Windows 10 Mobile (latest version in the time of reporting)
    Furthermore, Vulnerabilities will be limited to those discovered in the following domains.
    • line-apps.com
    • line.me
    • line.naver.jp
    2.WEB Site
    • https://store.line.me/
    • https://news.line.me/
    • https://music.line.me/
    • https://live.line.me/
    Vulnerabilities discovered in other LINE-related apps released by LINE Corporation (LINE Family apps, LINE GAME apps) are not eligible for this program. Please refer to the Details Page (Article 3 Eligibility).
    (The scope of the program was increased on April 10, 2017.)
    Program participants may not perform the following actions. Participants who perform any of these actions will be disqualified from receiving reward money.
    • Using a discovered vulnerability to view, delete, alter, or publish user data
    • Using an automated vulnerability scanner to launch attacks against LINE's systems
    ※ If you perform any of the above actions using a discovered bug, be sure to mention that you did so in your vulnerability report.
  5. 5. Conditions for Participation

    • Be an adult
    • Not be an employee of the Company or an affiliated company
    • Not be an entity or part of an entity that had carried out or is carrying out a project that is being advanced with the Company
    • Be able communicate in Japanese or English
    • Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program
  6. 6. Rewards

    Vulnerability Description example
    SQL Injection Ability to access private information through an SQL injection attack USD 3,000
    Cross-Site Scripting (XSS) Ability to hijack a session or execute scripts through an XSS attack USD 500~
    Cross-Site Request Forgery (CSRF) Ability to force a LINE user to perform an undesired process through a CSRF attack USD 500
    Remote Code Execution Ability to send packets containing arbitrary code to the client or server side USD 10,000
    Authentication Bypass Ability to masquerade as another person by bypassing authentication procedures USD 5,000
    Purchase Bypass Ability to obtain items while bypassing in-app payment procedures USD 5,000
    Encryption Break Ability to obtain another person’s authentication information by cracking encrypted data USD 10,000
    Improper Certificate Validation Ability to obtain sensitive information by failing to validate SSL certificate. USD 10,000
    Server-Side Request Forgery (SSRF) Ability to abuse functionality on the server to read or update internal resources. USD 2,500
    Client-Side Enforcement of Server-Side Security Ability to bypass protection mechanism by relying on the client side protection only. USD 500
    Improper Access Control Ability to access originally non-public pages because of access control failure. USD 500~
    Password in Configuration File Ability to obtain a password or sensitive information in a configuration file. USD 500
    Insecure Direct Object Reference (IDOR) Ability to bypass authorization and access resources directly by modifying the value of a parameter. USD 5,000
    Information Exposure Through Debug Information Ability to obtain sensitive information through debugging information. USD 500
    Privilege Escalation Ability to obtain elevated access to resources that are normally protected from an application or user. USD 3,000
    Cleartext Transmission of Sensitive Information Ability to eavesdrop sensitive information in the network traffic. USD 500~
    Path Traversal Ability to access arbitrary files and directories by manipulating variables USD 500~
    Other Other vulnerabilities USD 500
  7. 7. Vulnerabilities not eligible for rewards

    Examples of vulnerabilities not eligible for cash rewards are listed below. However, LINE may deem additional cases eligible for the cash reward at its own discretion.
    (1) Reporting a vulnerability as-is after detection using an automated scanner
    (2) Reporting hypothetical or theoretical vulnerabilities without actual verification code
    (3) Reporting susceptibility to a denial-of-service attack
    (4) Reporting susceptibility to brute force attacks aimed at retrieving passwords or tokens
    (5) Reporting the ability to spam LINE users arbitrarily with spam messages
    (6) Reporting email verification deficiencies, expiration of password reset links, and password complexity policies
    (7) Reporting vulnerabilities regarding ability to change password without confirmation of previous password on LINE app
    (8) Reporting vulnerabilities regarding session not expiring even after the changing of password on LINE app
    (9) Reporting on the absence of CRSF tokens
    (10) Reporting login/logout CSRF
    (11) Reporting the susceptibility to an attack via physical access to a user’s device
    (12) Reporting on missing security headers
    (13) Reporting on script executions that do not affect LINE users
    (14) Reporting vulnerabilities found in areas other than the LINE app
    • Ex 1: Reporting vulnerabilities found in domains other than *.line.me, *.line-apps.com, *.line.naver.jp
    • Ex 2: Reporting vulnerabilities found on platforms other than iOS, Android, Chrome and Windows 10 Mobile
    • Ex 3: Reporting vulnerabilities found in LINE related apps (LINE family apps, LINE games)
    (15) Reporting vulnerabilities attributable to out-of-date browsers or platforms
    (16) Reporting vulnerabilities related to auto fill web forms
    (17) Reporting the absence of secure flag attributes for non-critical cookies
    (18) Reports related to unsafe SSL/TLS cipher suites or protocol version
    (19) Reporting the accessibility of user data via a rooting device
    (20) Reporting the accessibility of profile photos, Timeline photos, and other information by anyone via URL
    (21) Reporting vulnerabilities attributable to a virtual phone number
    (22) Reporting vulnerabilities of which LINE has already received a report, LINE is already aware, or which has already been made public
    (23) Reporting vulnerabilities related to server banner information
    (24) Reporting vulnerabilities related to information contained within error messages (stack trace, application, or server errors)
    (25) Reporting vulnerabilities related to unset values for SPF record, DMARC, and DKIM
    (26) Reporting vulnerabilities which enable the use of an illegal HTTP method
    (27) Reporting vulnerabilities related to clickjacking,Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record
    (28) Reporting vulnerabilities like the following
    • Ex 1: Vulnerabilities that use the repayment feature of a credit card or payment platform
    • Ex 2: Vulnerabilities that overwrite a device's files or databases, or that modify files being transferred so they appear like they have items
  8. 8. Donation of rewards

    Users now have the option of donating their reward to organizations such as OSS and internet communities that have been specified by LINE. If users choose to donate their reward, LINE will match the value when making the donation. For more information, please see [Article 7 of the Terms of Use].
  9. 9. Program Details

    For more details on the program, please click here.

Reporting and Review

Please use the Bug Report Form to report any bugs you find. The Bug Report Form page will be available from 15 pm, June 2, 2016 (GMT+9).
We have created a list of things that will not be recognized as bugs. Please make sure that you understand the items listed on the Details Page (Vulnerabilities not Eligible for Cash Reward) before submitting your report.

  1. 1. Notes Regarding Reporting and Reviews

    Vulnerability reviews are conducted according to standards established by LINE Corporation. If the vulnerability is recognized, the submitter will be contacted by e-mail.
    Fundamentally, vulnerabilities of which the company is already aware shall not be eligible for review.
    If a report on a vulnerability is received while we are already in the process of reviewing a separate report on the same vulnerability, we will recognize the first report submitted.
    Furthermore, multiple vulnerabilities will be treated as a single vulnerability when:
    • the same vulnerability can be exploited under multiple parameters through a single method
    • the same vulnerability exists for a method that runs across multiple domains
    After a vulnerability is recognized, in addition to receiving a cash reward, the submitter will, with their permission, have their name (or nickname) posted along with the discovered vulnerability to the Hall of Fame to be published soon.
  2. 2. Other Inquiries

    See Article 18 of the Details Page.
  3. 3. Reporting bugs not related to the LINE Security Bug Bounty Program

    If you are unable to use the report form, or you would like to report a bug unrelated to this program, please contact us at dl_bugreport@linecorp.com

    Any reports submitted not using the report form will be accepted, but will not be subject to rewards or induction into the Hall of Fame.