LINE Security Bug Bounty Program

LINE Corporation (“the Company”) is conducting the LINE Security Bug Bounty Program ("the Program") from June 2, 2016, whereby cash rewards will be paid for vulnerability reports, for the purpose of improving the security of the Company's online environment. Individuals desiring to participate in this program and receive a cash reward must agree to the provisions stipulated below ("these Terms of Service"). Individuals submitting a vulnerability report shall be deemed to have granted their agreement to these stipulations.

  1. Article 1 (Purpose)
    The purpose of the Program is to quickly discover any vulnerabilities that exist in the LINE messenger app (LINE for iOS, LINE for Android, LINE for Chrome, LINE for windows 10 mobile latest version in the time of reporting) (“the App”) or the WEB sites, and provide LINE users (“Users”) the most secure service possible.
  2. Article 2 (Qualifications for Participation, How to Participate, etc.)
    1. 1. Those who wish to participate in the Program ("Participants") must:
      1. (i) Must be 16 or older
      2. (ii) not be an employee of the Company or an affiliated company
      3. (iii) not be an entity or part of an entity that had carried out or is carrying out a project that is being advanced with the Company
      4. (iv) be able communicate in Japanese or English
      5. (v) not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program
    2. 2. To take part in this Program, a Participant must create an account (“the Account”) in the website specified by the Company (URL: to report vulnerabilities. In creating an Account, Participants are required to enter information requested by the Company.
    3. 3. Any expenses incurred by Participants as a result of participating in the Program shall be borne by the Participants.
    4. 4. If the Company must contact Participants for reasons related to the operation of the Program, they will be contacted via their Account.
  3. Article 3 (Eligibility)
    1. 1. Cash rewards are limited to vulnerabilities found in the following LINE Corporation services.
      1. (i)Services that are displayed in the latest version of the App
        • ・LINE for iOS (latest version at the time of reporting)
        • ・LINE for Android (latest version at the time of reporting)
        • ・LINE for Chrome (latest version at the time of reporting)
        • ・LINE for Windows 10 Mobile (latest version at the time of reporting)

        Furthermore, limited to those having one of the following domains.

        • ・
        • ・
        • ・
      2. (ii)The following websites
        • ・
        • ・
        • ・
        • ・

      However, LINE-related apps that are activated via another process after clicking a link within the App (LINE Family apps, LINE GAME apps, etc.) are not eligible.

    2. 2. Vulnerabilities not eligible for cash rewards include, but are not limited to, the following:
      1. (i) Reporting a vulnerability as-is after detection using an automated scanner
      2. (ii) Reporting hypothetical or theoretical vulnerabilities without actual verification code
      3. (iii) Reporting the susceptibility to a denial-of-service attack
      4. (iv) Reporting the susceptibility to brute force attacks aimed at retrieving passwords or tokens
      5. (v) Reporting the ability to spam LINE users arbitrarily with spam messages
      6. (vi) Reporting on the deficiencies of e-mail verification, expiration of password reset links, policy on password complexity, etc.
      7. (vii) Reporting vulnerabilities regarding ability to change password without confirmation of previous password on LINE app
      8. (viii) Reporting vulnerabilities regarding session not expiring even after the changing of password on LINE app
      9. (ix) Reporting on the absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes
      10. (x) Reporting login/logout CSRF
      11. (xi) Reporting the susceptibility to an attack via physical access to a user's device
      12. (xii) Reports related to missing security header
      13. (xiii) Reporting of script executions that do not affect Users
      14. (xiv) Reporting of vulnerabilities found in services and devices beyond the scope of this program such as:
        • (a) Domains other than *, *, *
        • (b) Platforms other than iOS, Android, Chrome and Windows 10 Mobile
        • (c) LINE Family apps and/or LINE Games apps
      15. (xv) Reporting vulnerabilities attributable to out-of-date browsers or platforms
      16. (xvi) Reporting of content related to an auto fill web form
      17. (xvii) Reporting of absence of secure flag attribute for non-critical cookies
      18. (xviii) Reports related to unsafe SSL/TLS cipher suites or protocol version
      19. (xix) Reporting the accessibility of user data using a rooted device
      20. (xx) Reporting of accessibility of profile photos, Timeline photos, etc. by anyone via URL
      21. (xxi) Reporting of vulnerability attributable to virtual phone number
      22. (xxii) Reporting of vulnerability of which the Company has already received a report, or which the Company is already aware (including those attributable to specifications approved by the Company), or which has already been made public
      23. (xxiii) Reports related to the server banner information
      24. (xxiv) Reports related to information attributable to error messages (stack trace, server or application errors)
      25. (xxv) Reports related to a domain’s SPF record, DMARC, or DKIM not being set
      26. (xxvi) Reporting that an unauthorized HTTP method can be used
      27. (xxvii) Reporting vulnerabilities related to clickjacking,Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record
      28. (xxviii) Reports on vulnerabilities determined by the Company to be inapplicable for reward payment.
        • (a) Reports relating to the use of credit card or payment platform reimbursement features
        • (b) Reports involving the overwriting of files or databases on a device, or falsely showing possession of an item by altering a file along the communication pathway.
  4. Article 4 (Program Dates)
    1. 1. In principal, the Program shall be conducted indefinitely from June 2, 2016. However, the Company may terminate provision of the Program without notice when circumstances so require.
    2. 2. Even in the case where the Company terminates provision of the Program per the preceding clause, the Company will continue to review the vulnerabilities reported by Participants, and the Participants will maintain their status as Participant until the results of their reported vulnerabilities are announced.
  5. Article 5 (Reporting)
    Participants are to report vulnerabilities through Reports received by any other method are not eligible for rewards.
  6. Article 6 (Cash Rewards)
    1. 1. The Company will decide the cash reward at its own discretion, and based on the seriousness and novelty of the vulnerability reported. Refer to the table below regarding reward value guidelines.
      Category Examples Reference amount / Highly sensitive applications Reference amount / Other applications
      Remote Code Execution Ability to send packets containing arbitrary system call to the client or server side $30,000 $10,000 - $30,000
      Full access to file system or database SSRF,SQL Injection $10,000 - $30,000 $3,000 - $10,000
      Account takeover Authentication Bypass $5,000 - $10,000 $5,000 - $10,000
      Logic flaw bugs, information leaks, or bypassing significant security controls IDOR, impersonation, sensitive actions by user, Purchase Bypass $5,000 - $15,000 $1,000 - $5,000
      Execute code on the client Cross-site scripting $1,500 - $5,000 $500 - $1,500
      Other valid security vulnerabilities CSRF, Clickjacking, information leakage $500 - $10,000 $500 - $10,000

      Notes: Vulnerabilities applicable only to some environments or some users may be subject to change reward amount.

    2. 2. In cases where the Company receives reports for similar vulnerabilities, it shall treat those that it determines to be the same vulnerability as one vulnerability. This includes but is not limited to:
      1. (i) the same vulnerability can be exploited under multiple parameters through a single method
      2. (ii) the same vulnerability exists for a method that runs across multiple domains
    3. 3. If the same vulnerability is reported by multiple participants, a cash reward will be paid only for the first report submission that the Company receives.
    4. 4. If the Company determines that a vulnerability reported by a Participant is eligible for a cash reward, the Company will contact and inform the Participant.
    5. 5. Participants shall receive cash rewards via the following method. Participants shall promptly provide all valid and credible information (“the Information”) needed for the remittance of cash rewards of which the value is determined by the Company if they receive a request to provide Information from the Company via their Account. Participants are deemed to have waived the right to receive their reward if they do not supply the relevant information within one month of the request from the Company. Bank transfer fees to deposit cash rewards shall be borne by the Company. (The same applies to all clauses in this paragraph hereafter.)
      1. (i) Participants with a Japanese bank account: Cash rewards are paid in Japanese yen via deposit to the Japanese bank account. For converting the cash reward into Japanese yen, the Company shall use the Company’s designated exchange rate of the final date of the month in which the Participant reported a vulnerability that led to a cash reward. If said day is a Sunday or public holiday, the exchange rate of the previous business day will be applied (rounded down to the nearest yen).
      2. (ii) Participants with a foreign bank account: Cash rewards are paid in US dollars via deposit to the foreign bank account.
    6. 6. The only eligible bank accounts to receive a cash reward are those of the participant, for which the name of the account holder is the same as the name provided in the Information stipulated in the preceding paragraph.
    7. 7. In cases where there is a legal requirement to pay withholding income tax for the cash reward given to a Participant, the Company shall pay to Participants the amount equivalent of the cash reward minus said tax.
    8. 8. In instances where the Company sends a message to a Participant’s Account or email address and does not receive a reply within 30 days (including instances where there is a typo in the provided email address), or a Participant is unable to receive cash rewards, in whole or part, even after the Company completes the necessary remittance procedures based on the information received from a Participant per Paragraph 4 (including instances where there is a mistake in the Information, where there are banking system issues or the Participant is subject to economic sanctions) the Company's obligation to pay the cash reward will be dissolved.
    9. 9. Participants should not transfer, assign, or offer as collateral the right to receive a bonus to a third party.
    10. 10. In cases where it is made clear that a Participant has violated these Terms of Service, the Company shall be able to refuse payment or request a refund for paid cash rewards to said Participant.
  7. Article 7 (Special Provision Regarding the Reward Donation System)
    1. 1. To further motivate the LINE Security Bug Bounty Program participants who have found vulnerabilities, LINE provides a system that allows them to donate their cash rewards. Participants eligible to receive a cash reward can choose to turn down their reward according to the Terms of Use, and instead, have its value donated after LINE matches the reward value. By selecting this option, participants can choose to donate to one of the following third party organizations (including OSS and internet communities) specified by LINE. Donations will be made in LINE Corporation's name. Please note that once participants choose to donate their reward, the decision cannot be reversed. List of organizations to which donations can be made
      1. (i) Apache Software Foundation
      2. (ii) Linux Foundation
      3. (iii) OWASP
      4. (iv) Electronic Frontier Foundation (EFF)
      5. (v) Let's Encrypt
    2.  Please note that partial donations are not possible. Also, LINE does not issue any tax deduction forms related to these donations.
  8. Article 8 (Prohibited Acts)
    1. 1. Participants shall not perform:
      1. (i) any act that violates the rights of others or the law
      2. (ii) a denial-of-service attack that interferes with the Company's service
      3. (iii) an attack using an automated vulnerability scanner
      4. (iv) spamming LINE users arbitrarily with spam messages
      5. (v) physical attacks against our Company assets or data centers
      6. (vi) viewing, deletion, modification or disclosure of other users’ data using the discovered vulnerability
      7. (vii) viewing, deletion, modification or disclosure of source code, etc. using the discovered vulnerability
      8. (viii) any act in relation to vulnerability testing and reporting that violates others' rights
      9. (ix) any act other than those listed above that is contrary to the spirit and purpose of the Program
    2. 2. If a Participant is in violation of an item in the preceding paragraph, the Company shall be able to disqualify the Participant from participating in the Program.
  9. Article 9 (Rights)
    1. 1. A Participant holds the right to modify the App including altering, processing, and replicating to the extent necessary for participation in this Program.
    2. 2. In instances where a Participant creates an invention, methodology or design for verifying or studying repair methods for a vulnerability ("Inventions, Etc."), industrial property rights and other patent filing/application rights related to Inventions, Etc. (including rights prescribed in Copyright Act, Article 27 and28) and all other rights shall be transferred to the Company with the submission of the vulnerability details via the Participant’s Account, and the Company shall be able to freely exercise and dispose of those rights.
    3. 3. In instances where Inventions, Etc. are copyrighted material, Participants shall not claim or exercise author's moral rights associated with relevant copyrighted materials against the Company or other entities the Company has granted authority.
    4. 4. In instances where the Company determines that vulnerability information reported by Participants includes vulnerability information on services or products supplied by third parties ("External Products"), or that vulnerabilities have arisen due to a pairing with External Products, the Company reserves the right to provide that vulnerability information to the External Product supplier or administrative body to which that vulnerability information pertains without the approval of the Participant. In instances where a Participant's report contains Inventions, Etc., the rights pertaining to External Product-related Inventions, Etc. shall not transfer to the Company, and shall continue to be held by the Participant. The Company shall be able to freely use External Product-related Inventions, Etc. to the extent necessary to correct its services or products.
  10. Article 10 (Handling of Confidential Information)
    1. 1. Participants shall treat vulnerability information as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.
    2. 2. The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.
    3. 3. Notwithstanding the other stipulations of this Article, when there is a vulnerability caused by an External Product (whereby Article 8 Paragraph 4 applies) that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.
  11. Article 11 (Handling of Personal Information)
    1. 1. The Company respects the privacy of Participants.
    2. 2. The Company will use the personal information provided by Participants for identification, contacting, report reviewing, payments, prevention of unauthorized use, smooth operation of the Program and any other necessary clerical processes. The handling of other privacy matters shall be in accordance with the LINE Privacy Policy.
    3. 3. The Company gives the utmost care to safely managing the information collected from Participants.
    4. 4. The Company shall store the Information received from Participants for one year since the last date on which Participants log into their Account.
  12. Article 12 (Withdrawal)
    1. 1. If participants wish to withdraw from the program, they can delete their HackerOne account using the built in functionality of HackerOne. By doing so, you will be considered to have made a request to withdraw from the LINE HackerOne Bug Bounty program.
    2. 2. In the event that a participant violates, or is likely to violate any of these Terms of Service, especially any of the prohibited acts stipulated in Article 7, the Company shall have the right to exclude the Participant from the Program.
  13. Article 13 (Hall of Fame)
    1. 1. Participants submitting vulnerability reports eligible for cash rewards can have their names and personal photos ("Participant Information") posted on the Company's Hall of Fame. Participants shall declare and ensure that the Participant Information they provide to the Company does not infringe on any rights of third parties, including copyrights, trademarks, or any otherintellectual property rights. Furthermore, the decision to post said Participant Information on the Hall of Fame shall be made by the Company.
    2. 2. In instances where a complaint, assertion, request, demand or protest ("Complaint, Etc.") is received from a third party due to the posting of Participant Information on the Hall of Fame, the Participant shall be obligated to resolve said Complaint, Etc. at their own expense, and in instances where the Company has suffered damages, shall also bear responsibility for paying compensation immediately for the loss. In cases where the company has resolved a Complaint, Etc., Participants shall bear all expenses for that resolution.
  14. Article 14 (Liability Exemption)
    1. 1. Participants shall participate in the Program at their own responsibility, and the Company shall bear no responsibility for any damages incurred in relation to participation in the Program.
    2. 2. The Company shall not involve itself in any disputes arising between Participants or Participants and third parties in relation to the Program, and Participants shall resolve such disputes at their own responsibility and expense.
  15. Article 15 (Changes to These Terms of Service)
    1. 1. The Company may amend the content of these Terms of Service without notice.
    2. 2. In the event where the Company amends the content of these Terms of Service per the preceding paragraph, Participants are deemed to have accepted the amendments by their continued participation in the Program, and the updated Terms of Service shall apply.
  16. Article 16 (Language and Standard Time)
    1. 1. The Japanese Terms of Service shall be the official text, and the Japanese version shall prevail in case of any inconsistencies exist between the Japanese version and the English translation.
    2. 2. Unless specified otherwise, all dates and times used in relation to this Program are of Japan.
  17. Article 17 (Governing Laws and Court of Jurisdiction)
    Disputes between Participants and the Company arising from or in relation to participating in this Program shall be the exclusive jurisdiction of the Tokyo District Court or the Tokyo Summary Court as the court of first instance.
  18. Article 18 (Inquiries Regarding the Program)
    The Program is operated by the Company. All inquiries regarding the Program are to be submitted using the form below. Inquiries sent by any other method will not receive a response.
    (Example: Select "LINE" under Service, "Other" under Category, and "Promotions" under Details)
  19. Revised November 15, 2019