LINE Security Bug Bounty Program
LY Corporation (“the Company”) is conducting the LINE Security Bug Bounty Program ("the Program") from June 2, 2016, whereby cash rewards will be paid for vulnerability reports, for the purpose of improving the security of the Company's online environment. Individuals desiring to participate in this program and receive a cash reward must agree to the provisions stipulated below ("these Terms of Service").
-
Article 1 (Purpose)
The purpose of the Program is to quickly discover any vulnerabilities that exist in the LINE messenger app (LINE for iOS, LINE for Android, LINE for Chrome, LINE for windows 10 mobile latest version in the time of reporting) (“the App”) or the WEB sites, and provide LINE users (“Users”) the most secure service possible.
-
Article 2 (Qualifications for Participation, How to Participate, etc.)
- 1. Those who wish to participate in the Program ("Participants") must:
-
(i) Must be 16 or older
-
(ii)
not be an employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months
-
(iii)
not be an entity or part of an entity that had carried out within the last 6 months or is carrying out a project that is being advanced with the Company
-
(iv) be able communicate in Japanese or English
-
(v)
not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program
-
(vi) not be a member of an anti-social group or a related party thereof
-
2. To take part in this Program, a Participant must create an account (“the Account”) in the website on partner platforms for the operation of the Program (hereinafter referred to as "the Program Partners" or "HackerOne")specified by the Company (URL: https://hackerone.com/line, hereinafter referred to as "the Program Website”) to report vulnerabilities. In creating an Account, Participants are required to enter information requested by the Company.
- 3. Any expenses incurred by Participants as a result of participating in the Program shall be borne by the Participants.
- 4. If the Company must contact Participants for reasons related to the operation of the Program, they will be contacted via their Account.
-
Article 3 (Eligibility)
-
1. The services that are eligible for cash rewards and the types of vulnerabilities that are eligible will be specified on the Program Website.
- 2. Vulnerabilities not eligible for cash rewards are listed on the Program Website.
-
Article 4 (Program Dates)
- 1. In principal, the Program shall be conducted indefinitely from June 2, 2016. However, the Company may terminate provision of the Program without notice when circumstances so require.
-
2. Even in the case where the Company terminates provision of the Program per the preceding clause, the Company will continue to review the vulnerabilities reported by Participants, and the Participants will maintain their status as Participant until the results of their reported vulnerabilities are announced.
-
Article 5 (Reporting)
Participants are to report vulnerabilities through the Program Website. Reports received by any other method are not eligible for rewards.
-
Article 6 (Cash Rewards)
- 1. The Company will decide the cash reward at its own discretion, and based on the seriousness and novelty of the vulnerability reported. Refer to the Program Website regarding reward value guidelines.
- 2. In cases where the Company receives reports for similar vulnerabilities, it shall treat those that it determines to be the same vulnerability as one vulnerability. This includes but is not limited to:
- (i) the same vulnerability can be exploited under multiple parameters through a single method
- (ii) the same vulnerability exists for a method that runs across multiple domains
- 3. If the same vulnerability is reported by multiple participants, a cash reward will be paid only for the first report submission that the Company receives.
- 4. If the Company determines that a vulnerability reported by a Participant is eligible for a cash reward, the Company will contact and inform the Participant.
-
5. Participants shall receive cash rewards via the following method. Participants shall promptly provide all valid and credible information (“the Information”) needed for the remittance of cash rewards of which the value is determined by the Company or the Program Partner if they receive a request to provide Information from the Company via their Account. Participants are deemed to have waived the right to receive their reward if they do not supply the relevant information within one month of the request from the Company. Bank transfer fees to deposit cash rewards shall be borne by the Company. (The same applies to all clauses in this Paragraph hereafter.) The rules and procedures for reward payments shall be in accordance with the rules of the Program Partner.
- 6. The amount (cash reward) that we share with the Participants is the amount of proceeds after tax withholding.
- 7. In instances where the Company sends a message to a Participant’s Account or email address and does not receive a reply within 30 days (including instances where there is a typo in the provided email address), or a Participant is unable to receive cash rewards, in whole or part, even after the Company or the Program Partner complete the necessary remittance procedures based on the information received from a Participant per Paragraph 4 (including instances where there is a mistake in the Information, where there are banking system issues or the Participant is subject to economic sanctions) the Company's obligation to pay the cash reward will be dissolved.
- 8. Participants should not transfer, assign, or offer as collateral the right to receive a bonus to a third party.
- 9. In cases where it is made clear that a Participant has violated these Terms of Service, the Company shall be able to refuse payment or request a refund for paid cash rewards to said Participant.
-
Article 7 (Prohibited Acts)
- 1. Participants shall not perform:
-
(i) any act that violates the rights of others or the law
-
(ii) a denial-of-service attack that interferes with the Company's service
-
(iii) an attack using an automated vulnerability scanner
-
(iv) spamming Users arbitrarily with spam messages
-
(v) physical attacks against our Company assets or data centers
-
(vi) viewing, deletion, modification or disclosure of other users’ data using the discovered vulnerability
-
(vii) viewing, deletion, modification or disclosure of source code, etc. using the discovered vulnerability
-
(viii) any act in relation to vulnerability testing and reporting that violates others' rights
-
(ix) any act other than those listed above that is contrary to the spirit and purpose of the Program
- 2. Any and all acts related to personal information of others by the Participant (including access, deletion, modification, publication, storage, manipulation, etc., and the same shall apply hereinafter) shall be prohibited unless the Participant has obtained the persons explicit approval, in writing, in advance. In the event any Participant accesses any personal information of any other person, such Participant shall immediately cease such action, report the details to us, and delete such personal information and all reproductions thereof from any terminal, such as a computer.
- 3. The prohibitions and the precautions for participating in this Program will also be listed on the Program Website.
- 4. If a Participant is in violation of an item in Paragraph 1, Paragraph 2 of this Article or the preceding Paragraph, the Company shall be able to disqualify the Participant from participating in the Program.
-
Article 8 (Rights)
- 1. A Participant holds the right to modify the App including altering, processing, and replicating to the extent necessary for participation in this Program.
-
2. In instances where a Participant creates an invention, methodology or design for verifying or studying repair methods for a vulnerability ("Inventions, Etc."), industrial property rights and other patent filing/application rights related to Inventions, Etc. (including rights prescribed in Copyright Act, Article 27 and28) and all other rights shall be transferred to the Company with the submission of the vulnerability details via the Participant’s Account, and the Company shall be able to freely exercise and dispose of those rights.
-
3. In instances where Inventions, Etc. are copyrighted material, Participants shall not claim or exercise author's moral rights associated with relevant copyrighted materials against the Company or other entities the Company has granted authority.
-
4. In instances where the Company determines that vulnerability information reported by Participants includes vulnerability information on services or products supplied by third parties ("External Products"), or that vulnerabilities have arisen due to a pairing with External Products, the Company reserves the right to provide that vulnerability information to the External Product supplier or administrative body to which that vulnerability information pertains without the approval of the Participant. In instances where a Participant's report contains Inventions, Etc., the rights pertaining to External Product-related Inventions, Etc. shall not transfer to the Company, and shall continue to be held by the Participant. The Company shall be able to freely use External Product-related Inventions, Etc. to the extent necessary to correct its services or products.
-
Article 9 (Handling of Confidential Information)
-
1. Participants shall treat vulnerability information, and any information obtained using the vulnerability, as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.
- 2. The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.
- 3. Notwithstanding the provisions of Paragraphs 1 and 2 of this Article, in the event the vulnerability information, and any information obtained using the vulnerability, contains personal information of a third party, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.
- 4. Notwithstanding the other stipulations of this Article, when there is a vulnerability caused by an External Product (whereby Article 8 Paragraph 4 applies) that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.
-
Article 10 (Handling of Personal Information)
- 1. The Company respects the privacy of Participants.
-
2. The Company will use the personal information provided by Participants for identification, contacting, report reviewing, payments, prevention of unauthorized use, smooth operation of the Program and any other necessary clerical processes. The handling of other privacy matters shall be in accordance with the LY Corporation Privacy Policy.
- 3. The Company gives the utmost care to safely managing the information collected from Participants.
-
Article 11 (Withdrawal)
- 1. If participants wish to withdraw from the program, they can delete their HackerOne account using the built in functionality of HackerOne. By doing so, you will be considered to have made a request to withdraw from the LINE HackerOne Bug Bounty program.
-
2. In the event that a participant is found not to meet the qualifications for participation stipulated in Paragraph 1 of Article 2 hereof, or if a participant violates, or is deemed likely to violate any of the prohibited acts stipulated in Article 7 hereof, the Company shall have the right to exclude the Participant from the Program.
-
Article 12 (Hall of Fame)
- Participants submitting useful report to the Company can be posted their names and personal photos on a designated page on the Program Website (https://hackerone.com/line/thanks).
-
Article 13 (Liability Exemption)
- 1. Participants shall participate in the Program at their own responsibility.
-
2. The Company shall not involve itself in any disputes arising between Participants or Participants and third parties in relation to the Program, and Participants shall resolve such disputes at their own responsibility and expense.
-
Article 14 (Changes to These Terms of Service)
- 1. The Company may revise these Terms of Service in any of the following cases.
In the foregoing case, the Company will make public, by indicating on the Program or the Company’s website, or notifying Participants according to a method prescribed by the Company, to the effect that these Terms of Service will be revised, as well as the subject matter and effective date of the revised version of these Terms of Service. In the case of Item (2) below, the Company will make the revision public a reasonable period before the effective date of the revision:
-
(1) when revision to these Terms of Service conforms to the general interests of Participants; or
-
(2) when revision to these Terms of Service is not in breach of the purpose of any contract, and is rational in light of the necessity of such revision, appropriateness of the subject matter after revision, and other circumstances concerning the revision.
- 2. The revised version of these Terms of Service shall come into effect from the effective date.
- 3. Guidelines regarding the Program listed on the Program Website ("services eligible for rewards", "types of vulnerabilities eligible", "examples of vulnerabilities not eligible for rewards", " reference amount of rewards" and "prohibitions and precautions for participation in the Program." The same shall apply hereinafter in this section.), as well as these Terms of Service, shall apply to the Program. The Company may revise the Guidelines in the same conditions and manner as described in Paragraphs 1 and 2 of this Article. Participants can view the changes on the Program Website.
-
Article 15 (Language and Standard Time)
- 1. The Japanese Terms of Service shall be the official text, and the Japanese version shall prevail in case of any inconsistencies exist between the Japanese version and the English translation.
- 2. Unless specified otherwise, all dates and times used in relation to this Program are of Japan.
-
Article 16 (Governing Laws and Court of Jurisdiction)
Disputes between Participants and the Company arising from or in relation to participating in this Program shall be the exclusive jurisdiction of the Tokyo District Court as the court of first instance.
-
Article 17 (Inquiries Regarding the Program)
The Program is operated by the Company. All inquiries regarding the Program are to be submitted using the form below. Inquiries sent by any other method will not receive a response.
https://contact-cc.line.me/en/
(Example: Select "LINE" under Service, "Other" under Category, and "Promotions" under Details)
Revised on October 1, 2023