RSS

Introducing the LINE Bug Bounty Program

by LINE Engineer on 2015.8.5


Hello. I am MJ from the LINE Security Department. In this post, I would like to announce the details of the LINE Bug Bounty.

What is a bug bounty?

Companies use bug bounty programs to strengthen their services and products by rewarding users that can find vulnerabilities in them. Many companies have used these programs to take a more active role in strengthening the security of their services.

LINE has grown as a global company that now provides services to more than 2 hundred million active users on a monthly basis. The number of products and services have increased, and so have the number of users that require protection. We at LINE aim to provide a more stable service as a result of this bug bounty.

The ultimate goal of a bug bounty is to discover flaws and vulnerabilities on products and services as fast as possible, and to come up with security measures that can resolve those issues. We live in a world where organized hackers have access to endlessly evolving technology. In an environment where zero day attacks are frequent, nobody can be sure that they are 100% protected and secure. With the current speed of new technology development, it is difficult to prevent these attacks unless you can read the mind of your potential attacker. LINE is looking forward to the help of white hat hackers all over the globe. With their reports, we will be able to discover and resolve security issues more actively than before.

Bug bounties put out by other companies

Not only did LINE have an independent security team analyzing and handling security flaws, we have also received feedback and resolved issues from CERTs in Japan and Thailand. But with the recent changes in security trends, we have decided that a bug bounty may be a better solution.

Global companies such as Google, Facebook, and Microsoft are no strangers to bug bounties. These companies have used bug bounties to strengthen their security for several years.

[Table 1. Bug bounties put out by other companies, and their details]
Company Name Bug Bounty Details
Google Launched various reward programs for users that find vulnerabilities in 2010. Rewards ranged from $100 to $20,000 depending on the severity.
Facebook Launched in 2011, offers a minimum of $500 with no upper limit.
Microsoft Launched various programs in 2013. Offered a minimum of $5,000 during the “Internet bug bounty Program” held together with Facebook on the same year.

Using bug bounties as a way to improve services and to prevent hacking incidents is already a norm for global IT companies. You can see what companies have offered bug bounties from the link below.
Companies that offer bug bounties

There are also firms that offer membership-based bug bounty programs for other companies that do not maintain and operate programs themselves. HackerOne is one amongst many of these firms.

Recently. Microsoft made headlines by announcing a bug bounty program for Microsoft Edge (Formerly, Project Spartan): the browser that ships with Windows 10, their latest operating system. The program was announced during the 2015 Mobile Security Conference (MOSEC) at Shanghai.

Photos taken at MOSEC 2015 by MJ, LINE Corp.

Microsoft operates numerous bug bounty programs for each of their many products and services, receiving reports from hundreds of white hat hackers every year. As Microsoft benefits a great deal from these white hat hackers from all over the globe, they make an effort to maintain a good relationship with them as well.

While many global companies are actively putting out bug bounties on a regular basis, only a small few of these companies are based in Japan or Korea.

LINE Bug Bounty

LINE has decided to launch its own bug bounty program, beginning in mid-August, 2015. Anyone who discovers a security flaw in the LINE app will be rewarded with a minimum of $500 up to $20,000 (USD) depending on the severity of the discovered vulnerability.

Schedule

The LINE Bug Bounty program will be available for the following duration. 12PM August 24th (GMT+9) to 12PM September 23rd (GMT+9), 2015.

Rewards

The following rewards will be given to participants that discover vulnerabilities in LINE.

[Table 2. Minimum rewards for each vulnerability type]
Vulnerability Description Minimum Reward (USD)
Message/call Eavesdropping Ability to eavesdrop on, modify or terminate another person’s messages or phone calls. $10,000
SQL Injection Ability to access private information through SQL injection attack. $3,000
Cross-Site Scripting(XSS) Ability to hijack session or execute scripts through XSS attack. $500
Cross-Site Request Forgery(CSRF) Ability to force the LINE User to perform an undesired process through CSRF attack. $500
Client-Side Remote Code Execution Ability to send message containing arbitrary code via LINE and cause desired code to be executed on devices receiving message. $20,000
Server-Side Remote Code Execution Ability to send packets containing arbitrary code to server side and cause desired code to be executed on server side. $10,000
Authentication Bypass Ability to masquerade as another person by bypassing authentication procedures. $5,000
Purchase Bypass Ability to obtain items while bypassing in-app payment procedures. $5,000
Other Other. $500

Your submissions will be reviewed according to the internal rules to see if they are eligible for a reward. You can earn higher payouts than the minimum amount if your submitted vulnerability is detailed and/or more severe than the ones listed above. You will be rewarded accordingly if your submission is eligible, and you name and discovered vulnerability will be registered on the Hall of Fame page. For more information on the program, please refer to the official LINE Bug Bounty page.

Expected outcome

We at LINE are eagerly awaiting for reports by white hat hackers from all over the globe, with a firm belief that your submissions will help in keeping LINE safe. Use your talents to make the internet environment a safer place!
LINE Bug Bounty