LY Corporation

FAQ

We added the following faq. (2017/11/16 update)
If in doubt, please see the following FAQs for help.

Q1. What is the purpose of the LINE Security Bug Bounty Program?

We launched the Bug Bounty Program to help find and address bugs, errors, and possible vulnerabilities with the LINE app and other related services.

Q2. Reward money is offered for bugs found in the Android / iOS / Chrome / Windows 10 mobile versions of the LINE app or WEB site(LINE STORE・LINE NEWS・LINE MUSIC・LINE LIVE), but will other vulnerabilities reported in related services (such as LINE Family apps and LINE GAME apps) also be eligible for a reward?

No, LINE Security Bug Bounty Program cash rewards are currently only available for vulnerabilities found with the LINE app for Android / iOS / Chrome / Windows 10 mobile or WEB site(LINE STORE・LINE NEWS・LINE MUSIC・LINE LIVE), according to Article 3 of the Details Page. Please refer to the Details Page (Article 3 Eligibility). In the event that this program is expanded to cover additional apps, the Details Page will be amended accordingly and LINE Security Bug Bounty Program participants will be notified in advance.

Q3. Is the LINE Security Bug Bounty Program intended as a temporary program?

No. The LINE Security Bug Bounty Program is a continuous program with no specific ending date and LINE Security Bug Bounty Program participants can submit vulnerability reports at any time. However, according to Article 4 of the Details Page, the program can be suspended without warning at any time in the future.

Q4. Is there a limit for cash rewards offered via the LINE Security Bug Bounty Program?

No. There is no established limit for rewards offered via the LINE Security Bug Bounty Program. We evaluate submitted vulnerabilities based on their uniqueness and severity and determine a suitable cash reward for each submission. Please note that the amount of money rewarded is subject to change based on the quality of the report and other details.

Q5. How long does it take to get the results of the review process after submitting a vulnerability report?

We try to start the review process as soon as the vulnerability is submitted, but please note that there is no set time frame for announcing results of the review process.

Q6. Can I post the details of my reported vulnerability to blogs, social networking services, or other such locations?

As stated in Article 10 of the Details Page, you cannot share, leak, or otherwise disclose any such information to third parties until we have fully resolved the vulnerability and made appropriate announcements. Reward money may be rescinded if a LINE Security Bug Bounty Program participant is found to have violated Article 9 of the Details Page. This rule also applies to information pertaining to already known vulnerabilities, vulnerabilities already reported by other LINE Security Bug Bounty Program participants, or vulnerabilities that are otherwise ineligible for cash rewards.

Q7. How is the information concerning reported vulnerabilities handled?

The details of each reported vulnerability are safely stored within LINE's servers and only shared with relevant employees. Additionally, all communications are encrypted using SSL.

Q8. Is it possible to report vulnerabilities without creating an account for that purpose?

No. According to Article 2 of the Details Page, vulnerability reports can only be made from an appropriate JIRA account registered to the participant.

Q9. What types of vulnerabilities are not accepted (do not qualify for cash rewards) by the Bug Bounty Program?

Examples of vulnerabilities not eligible for cash rewards are listed in Article 3 of the Details Page. Please note that certain vulnerabilities may also be deemed ineligible for a cash reward after review by the Company.

Q10. Do you accept bugs or other issues unrelated to app security as part of the LINE Security Bug Bounty Program?

No, we only accept reports for issues and vulnerabilities related to the security of the app. Please contact us via this page to report bugs or issues other than security issues.

Q11. How is the cash reward paid for qualifying submissions?

Participants with reports deemed based on our internal review will be contacted again and asked for their bank details in order to receive cash payment by wire transfer.

Q12. How long will it take to receive my cash payment once my vulnerability report has been approved?

Normally, it takes around one to two months to receive your payment. However, residents of countries outside Japan may require extra time for tax related reasons. Refer to the following for information on the process from vulnerability confirmation to reward payment.

Rewards will be paid out for any confirmed vulnerabilities. The basic process for reward payment is as follows.

1. 1. User reports a vulnerability.
2. 2. LY Corporation SECURITY review the reported vulnerability.
3. 3. If the vulnerability is confirmed, a reward is offered.
4. 4. User agrees to the reward payment.
5. 5. User provides necessary information for payment.¹
   (Residents of countries with a tax convention with Japan have to submit an Application Form for Income Tax Convention.)²
6. 6. LY Corporation SECURITY review the submitted documentation.
   (The Application Form for Income Tax Convention requires review by a tax office so payment may take up to 2 months.)
7. 7. LY Corporation pays the reward to the user.

*1 Information Necessary for Payment

Personal information such as address, phone number, bank and bank account information will be taken from the Application Form for Income
Tax Convention or other related documents for bank transfer or foreign remittance purposes.

*2 Application Form for Income Tax Convention

Tax conventions are treaties established between Japan (source of the income) and the country where the individual resides in order to avoid
double taxation. Corporations and individuals residing in countries that have established tax conventions with Japan can avoid double taxation
for income earned from their reward in Japan (source of the income).
If a tax convention treaty has been established between your country of residence and Japan, the tax conventions are applied by submitting
two signed original "Application Form for Income Tax Convention" documents to LINE Security Bug Bounty Program. You may be able to
receive a reduction or exemption for any income tax withheld in Japan.

(National Tax Administration Agency website: https://www.nta.go.jp/english/)

Q13. Can somebody other than the person who reported the vulnerability receive payment for the cash reward?

No, only the person who reported the vulnerability can receive payment for the reward. The account name and number provided when creating the account must match the person identified or else the wire transfer cannot be paid.

Q14. If multiple participants have identified the same vulnerability, will they all receive a cash reward?

No. According to Article 6 of the Details Page, in the event that multiple participants report the same vulnerability, the person who reported the issue first (the first report that we receive) will be the one to receive the cash payment.

Q15. Will my account profile created to report the vulnerability ever be released to the public?

No, your account profile will not be made public. According to Article 12 of the Details Page, participants listed in the Hall of Fame will be asked to provide separate profile information to be listed there.

Q16. Can I use the same account to report multiple vulnerabilities?

Yes, you can continue to use the same account to report vulnerabilities after making your first report.

Q17. What are some of the reasons for the increased scope of the program from April 10, 2017?

As the LINE service continues to grow, we increased the program's scope as part of our commitment to providing a safe and secure user experience.

Q18. Are there any reports about the outcome of the LINE Security Bug Bounty Program?

You can read about previous outcomes on the following page.
https://engineering.linecorp.com/en/blog/detail/113

Q19. Can someone other than myself receive the reward payment?

No. As part of the Terms and Conditions of Use, only the actual reporting user can receive the reward. However, a nickname can be used for the official reports.