by LINE Engineer on 2015.8.5
Hello. I am MJ from the LINE Security Department. In this post, I would like to announce the details of the LINE Bug Bounty.
What is a bug bounty?
Companies use bug bounty programs to strengthen their services and products by rewarding users that can find vulnerabilities in them. Many companies have used these programs to take a more active role in strengthening the security of their services.
LINE has grown as a global company that now provides services to more than 2 hundred million active users on a monthly basis. The number of products and services have increased, and so have the number of users that require protection. We at LINE aim to provide a more stable service as a result of this bug bounty.
The ultimate goal of a bug bounty is to discover flaws and vulnerabilities on products and services as fast as possible, and to come up with security measures that can resolve those issues. We live in a world where organized hackers have access to endlessly evolving technology. In an environment where zero day attacks are frequent, nobody can be sure that they are 100% protected and secure. With the current speed of new technology development, it is difficult to prevent these attacks unless you can read the mind of your potential attacker. LINE is looking forward to the help of white hat hackers all over the globe. With their reports, we will be able to discover and resolve security issues more actively than before.
Bug bounties put out by other companies
Not only did LINE have an independent security team analyzing and handling security flaws, we have also received feedback and resolved issues from CERTs in Japan and Thailand. But with the recent changes in security trends, we have decided that a bug bounty may be a better solution.
Global companies such as Google, Facebook, and Microsoft are no strangers to bug bounties. These companies have used bug bounties to strengthen their security for several years.
|Company Name||Bug Bounty Details|
|Launched various reward programs for users that find vulnerabilities in 2010. Rewards ranged from $100 to $20,000 depending on the severity.|
|Launched in 2011, offers a minimum of $500 with no upper limit.|
|Microsoft||Launched various programs in 2013. Offered a minimum of $5,000 during the “Internet bug bounty Program” held together with Facebook on the same year.|
Using bug bounties as a way to improve services and to prevent hacking incidents is already a norm for global IT companies. You can see what companies have offered bug bounties from the link below.
Companies that offer bug bounties
There are also firms that offer membership-based bug bounty programs for other companies that do not maintain and operate programs themselves. HackerOne is one amongst many of these firms.
Recently. Microsoft made headlines by announcing a bug bounty program for Microsoft Edge (Formerly, Project Spartan): the browser that ships with Windows 10, their latest operating system. The program was announced during the 2015 Mobile Security Conference (MOSEC) at Shanghai.
Microsoft operates numerous bug bounty programs for each of their many products and services, receiving reports from hundreds of white hat hackers every year. As Microsoft benefits a great deal from these white hat hackers from all over the globe, they make an effort to maintain a good relationship with them as well.
While many global companies are actively putting out bug bounties on a regular basis, only a small few of these companies are based in Japan or Korea.
LINE Bug Bounty
LINE has decided to launch its own bug bounty program, beginning in mid-August, 2015. Anyone who discovers a security flaw in the LINE app will be rewarded with a minimum of $500 up to $20,000 (USD) depending on the severity of the discovered vulnerability.
The LINE Bug Bounty program will be available for the following duration. 12PM August 24th (GMT+9) to 12PM September 23rd (GMT+9), 2015.
The following rewards will be given to participants that discover vulnerabilities in LINE.
|Vulnerability||Description||Minimum Reward (USD)|
|Message/call Eavesdropping||Ability to eavesdrop on, modify or terminate another person’s messages or phone calls.||$10,000|
|SQL Injection||Ability to access private information through SQL injection attack.||$3,000|
|Cross-Site Scripting(XSS)||Ability to hijack session or execute scripts through XSS attack.||$500|
|Cross-Site Request Forgery(CSRF)||Ability to force the LINE User to perform an undesired process through CSRF attack.||$500|
|Client-Side Remote Code Execution||Ability to send message containing arbitrary code via LINE and cause desired code to be executed on devices receiving message.||$20,000|
|Server-Side Remote Code Execution||Ability to send packets containing arbitrary code to server side and cause desired code to be executed on server side.||$10,000|
|Authentication Bypass||Ability to masquerade as another person by bypassing authentication procedures.||$5,000|
|Purchase Bypass||Ability to obtain items while bypassing in-app payment procedures.||$5,000|
Your submissions will be reviewed according to the internal rules to see if they are eligible for a reward. You can earn higher payouts than the minimum amount if your submitted vulnerability is detailed and/or more severe than the ones listed above. You will be rewarded accordingly if your submission is eligible, and you name and discovered vulnerability will be registered on the Hall of Fame page. For more information on the program, please refer to the official LINE Bug Bounty page.
We at LINE are eagerly awaiting for reports by white hat hackers from all over the globe, with a firm belief that your submissions will help in keeping LINE safe. Use your talents to make the internet environment a safer place!
LINE Bug Bounty