LINE

LINE Security Bug Bounty Program

LINE Corporation (“the Company”) is conducting the LINE Security Bug Bounty Program ("the Program") from June 2, 2016, whereby cash rewards will be paid for vulnerability reports, for the purpose of improving the security of the Company's online environment. Individuals desiring to participate in this program and receive a cash reward must agree to the provisions stipulated below ("these Terms of Service").

  1. Article 1 (Purpose)
    The purpose of the Program is to quickly discover any vulnerabilities that exist in the LINE messenger app (LINE for iOS, LINE for Android, LINE for Chrome, LINE for windows 10 mobile latest version in the time of reporting) (“the App”) or the WEB sites, and provide LINE users (“Users”) the most secure service possible.
  2. Article 2 (Qualifications for Participation, How to Participate, etc.)
    1. 1. Those who wish to participate in the Program ("Participants") must:
      1. (i) Must be 16 or older
      2. (ii) not be an employee of the Company or an affiliated company
      3. (iii) not be an entity or part of an entity that had carried out or is carrying out a project that is being advanced with the Company
      4. (iv) be able communicate in Japanese or English
      5. (v) not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program
      6. (vi) not be a member of an anti-social group or a related party thereof
    2. 2. To take part in this Program, a Participant must create an account (“the Account”) in the website on partner platforms for the operation of the Program (hereinafter referred to as "the Program Partners" or "HackerOne")specified by the Company (URL: https://hackerone.com/line, hereinafter referred to as "the Program Website”) to report vulnerabilities. In creating an Account, Participants are required to enter information requested by the Company.
    3. 3. Any expenses incurred by Participants as a result of participating in the Program shall be borne by the Participants.
    4. 4. If the Company must contact Participants for reasons related to the operation of the Program, they will be contacted via their Account.
  3. Article 3 (Eligibility)
    1. 1. The services that are eligible for cash rewards and the types of vulnerabilities that are eligible will be specified on the Program Website.
    2. 2. Vulnerabilities not eligible for cash rewards are listed on the Program Website.
  4. Article 4 (Program Dates)
    1. 1. In principal, the Program shall be conducted indefinitely from June 2, 2016. However, the Company may terminate provision of the Program without notice when circumstances so require.
    2. 2. Even in the case where the Company terminates provision of the Program per the preceding clause, the Company will continue to review the vulnerabilities reported by Participants, and the Participants will maintain their status as Participant until the results of their reported vulnerabilities are announced.
  5. Article 5 (Reporting)
    Participants are to report vulnerabilities through the Program Website. Reports received by any other method are not eligible for rewards.
  6. Article 6 (Cash Rewards)
    1. 1. The Company will decide the cash reward at its own discretion, and based on the seriousness and novelty of the vulnerability reported. Refer to the Program Website regarding reward value guidelines.
    2. 2. In cases where the Company receives reports for similar vulnerabilities, it shall treat those that it determines to be the same vulnerability as one vulnerability. This includes but is not limited to:
      1. (i) the same vulnerability can be exploited under multiple parameters through a single method
      2. (ii) the same vulnerability exists for a method that runs across multiple domains
    3. 3. If the same vulnerability is reported by multiple participants, a cash reward will be paid only for the first report submission that the Company receives.
    4. 4. If the Company determines that a vulnerability reported by a Participant is eligible for a cash reward, the Company will contact and inform the Participant.
    5. 5. Participants shall receive cash rewards via the following method. Participants shall promptly provide all valid and credible information (“the Information”) needed for the remittance of cash rewards of which the value is determined by the Company or the Program Partner if they receive a request to provide Information from the Company via their Account. Participants are deemed to have waived the right to receive their reward if they do not supply the relevant information within one month of the request from the Company. Bank transfer fees to deposit cash rewards shall be borne by the Company. (The same applies to all clauses in this paragraph hereafter.) The rules and procedures for reward payments shall be in accordance with the rules of the Program Partner.
    6. 6. In cases where there is a legal requirement to pay withholding income tax for the cash reward given to a Participant, the Company shall pay to Participants the amount equivalent of the cash reward minus said tax.
    7. 7. In instances where the Company sends a message to a Participant’s Account or email address and does not receive a reply within 30 days (including instances where there is a typo in the provided email address), or a Participant is unable to receive cash rewards, in whole or part, even after the Company or the Program Partner complete the necessary remittance procedures based on the information received from a Participant per Paragraph 4 (including instances where there is a mistake in the Information, where there are banking system issues or the Participant is subject to economic sanctions) the Company's obligation to pay the cash reward will be dissolved.
    8. 8. Participants should not transfer, assign, or offer as collateral the right to receive a bonus to a third party.
    9. 9. In cases where it is made clear that a Participant has violated these Terms of Service, the Company shall be able to refuse payment or request a refund for paid cash rewards to said Participant.
  7. Article 7 (Special Provision Regarding the Reward Donation System)
    To further motivate the LINE Security Bug Bounty Program participants who have found vulnerabilities, LINE provides a system that allows them to donate their cash rewards. Participants eligible to receive a cash reward can choose to turn down their reward according to the Terms of Use, and instead, have its value donated after LINE matches the reward value. By selecting this option, participants can choose to donate to one of the following third party organizations (including OSS and internet communities) specified by LINE. Donations will be made in LINE Corporation's name. Please note that once participants choose to donate their reward, the decision cannot be reversed. List of organizations to which donations can be made
      1. (i) Apache Software Foundation
      2. (ii) Linux Foundation
      3. (iii) OWASP
      4. (iv) Electronic Frontier Foundation (EFF)
      5. (v) Let's Encrypt
    1. Please note that partial donations are not possible. Also, LINE does not issue any tax deduction forms related to these donations.
  8. Article 8 (Prohibited Acts)
    1. 1. Participants shall not perform:
      1. (i) any act that violates the rights of others or the law
      2. (ii) a denial-of-service attack that interferes with the Company's service
      3. (iii) an attack using an automated vulnerability scanner
      4. (iv) spamming LINE users arbitrarily with spam messages
      5. (v) physical attacks against our Company assets or data centers
      6. (vi) viewing, deletion, modification or disclosure of other users’ data using the discovered vulnerability
      7. (vii) viewing, deletion, modification or disclosure of source code, etc. using the discovered vulnerability
      8. (viii) any act in relation to vulnerability testing and reporting that violates others' rights
      9. (ix) any act other than those listed above that is contrary to the spirit and purpose of the Program
    2. 2. The prohibitions and the precautions for participating in this Program will also be listed on the Program Website.
    3. 3. If a Participant is in violation of an item in paragraph 1 of this Article or the preceding paragraph, the Company shall be able to disqualify the Participant from participating in the Program.
  9. Article 9 (Rights)
    1. 1. A Participant holds the right to modify the App including altering, processing, and replicating to the extent necessary for participation in this Program.
    2. 2. In instances where a Participant creates an invention, methodology or design for verifying or studying repair methods for a vulnerability ("Inventions, Etc."), industrial property rights and other patent filing/application rights related to Inventions, Etc. (including rights prescribed in Copyright Act, Article 27 and28) and all other rights shall be transferred to the Company with the submission of the vulnerability details via the Participant’s Account, and the Company shall be able to freely exercise and dispose of those rights.
    3. 3. In instances where Inventions, Etc. are copyrighted material, Participants shall not claim or exercise author's moral rights associated with relevant copyrighted materials against the Company or other entities the Company has granted authority.
    4. 4. In instances where the Company determines that vulnerability information reported by Participants includes vulnerability information on services or products supplied by third parties ("External Products"), or that vulnerabilities have arisen due to a pairing with External Products, the Company reserves the right to provide that vulnerability information to the External Product supplier or administrative body to which that vulnerability information pertains without the approval of the Participant. In instances where a Participant's report contains Inventions, Etc., the rights pertaining to External Product-related Inventions, Etc. shall not transfer to the Company, and shall continue to be held by the Participant. The Company shall be able to freely use External Product-related Inventions, Etc. to the extent necessary to correct its services or products.
  10. Article 10 (Handling of Confidential Information)
    1. 1. Participants shall treat vulnerability information as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.
    2. 2. The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.
    3. 3. Notwithstanding the other stipulations of this Article, when there is a vulnerability caused by an External Product (whereby Article 9 Paragraph 4 applies) that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.
  11. Article 11 (Handling of Personal Information)
    1. 1. The Company respects the privacy of Participants.
    2. 2. The Company will use the personal information provided by Participants for identification, contacting, report reviewing, payments, prevention of unauthorized use, smooth operation of the Program and any other necessary clerical processes. The handling of other privacy matters shall be in accordance with the LINE Privacy Policy.
    3. 3. The Company gives the utmost care to safely managing the information collected from Participants.
  12. Article 12 (Withdrawal)
    1. 1. If participants wish to withdraw from the program, they can delete their HackerOne account using the built in functionality of HackerOne. By doing so, you will be considered to have made a request to withdraw from the LINE HackerOne Bug Bounty program.
    2. 2. In the event that a participant is found not to meet the qualifications for participation stipulated in Paragraph 1 of Article 2 hereof, or if a participant violates, or is deemed likely to violate any of the prohibited acts stipulated in Article 8 hereof, the Company shall have the right to exclude the Participant from the Program.
  13. Article 13 (Hall of Fame)
    1. Participants submitting useful report to the Company can be posted their names and personal photos on a designated page on the Program Website (https://hackerone.com/line/thanks).
  14. Article 14 (Liability Exemption)
    1. 1. Participants shall participate in the Program at their own responsibility, and the Company shall bear no responsibility for any damages incurred in relation to participation in the Program.
    2. 2. The Company shall not involve itself in any disputes arising between Participants or Participants and third parties in relation to the Program, and Participants shall resolve such disputes at their own responsibility and expense.
  15. Article 15 (Changes to These Terms of Service)
    1. 1. The Company may modify the content of these Terms of Service within the scope of the purposes of the Program. In such case, the Company will indicate the contents of the modified version of these Terms of Service, as well as the effective date of the modification, on the Program or on the Company’s website, or will publicize the same to Participants by notifying Participants in the manner prescribed by the Company.
    2. 2. The modified version of these Terms of Service shall become effective as of the effective date thereof.
    3. 3. Guidelines regarding the Program listed on the Program Website ("services eligible for rewards", "types of vulnerabilities eligible", "examples of vulnerabilities not eligible for rewards", " reference amount of rewards" and "prohibitions and precautions for participation in the Program." The same shall apply hereinafter in this section.), as well as these Terms of Service, shall apply to the Program. The Company may change the Guidelines to the extent that the changes are not disadvantageous to Participants, such as clarifying the intent of the description specified in the Guidelines or adding services that are eligible for rewards. Important changes to the Guidelines will be made in the same manner as described in paragraphs 1 and 2 of this Article. Participants can view the changes on the Program Website.
  16. Article 16 (Language and Standard Time)
    1. 1. The Japanese Terms of Service shall be the official text, and the Japanese version shall prevail in case of any inconsistencies exist between the Japanese version and the English translation.
    2. 2. Unless specified otherwise, all dates and times used in relation to this Program are of Japan.
  17. Article 17 (Governing Laws and Court of Jurisdiction)
    Disputes between Participants and the Company arising from or in relation to participating in this Program shall be the exclusive jurisdiction of the Tokyo District Court as the court of first instance.
  18. Article 18 (Inquiries Regarding the Program)
    The Program is operated by the Company. All inquiries regarding the Program are to be submitted using the form below. Inquiries sent by any other method will not receive a response.
    https://contact-cc.line.me/en/
    (Example: Select "LINE" under Service, "Other" under Category, and "Promotions" under Details)
  19. Revised March 31, 2020