Banner object (1)

Hack and Take the Cash !

844 bounties in database
  Back Link to program      
16/11/2019
LINE logo
Thanks
Gift
Hall of Fame
Reward

Reward

LINE

LINE Bug Bounty rules at a glance

The LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy:

  • The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See Scope for more details
  • Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See Program Rules for more details
  • Act in good faith
  • Do not adversely affect our users
  • The first bounty payout may take up to two months to complete. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details

The purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service.

To compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules.


Response Targets

LINE Corporation will make a best effort to meet the following response targets for hackers participating in our program:

  • Time to triage (from report submit) - 5 business days
  • Time to bounty decision (from report submit) - 15 business days
  • Time to issue resolved (from report submit) - 31 business days

*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued. Please see the Eligibility Requirements section for details.

We will do our best to keep you informed about our progress throughout the process.


Disclosure Policy

  • Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company').
  • Follow HackerOne's disclosure guidelines __.
  • Participants shall treat vulnerability information as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.
  • The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.
  • Notwithstanding the other stipulations of this Article, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.

Program Rules

Please ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
  • Do not use automated vulnerability scanners to launch attacks against LINE's systems
  • Do not use a discovered vulnerability to view, delete, alter, or publish user data
  • Please note that any bounty payments that may apply can only be issued to an adult
  • Not be an employee of the Company or an affiliated company
  • Not be an entity or part of an entity that had carried out or is carrying out a project that is being advanced with the Company
  • Be able to communicate in Japanese or English
  • Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program
  • In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. Following this, only hand-written completion of the Tax form will qualify you for the maximum bounty reward (after taxes)

Test Accounts

We do not provide test accounts.
Please use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.
Do not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.


Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope:

  • Vulnerability as-is after detection using an automated scanner
  • Hypothetical or theoretical vulnerabilities without actual verification code
  • Susceptibility to a denial-of-service attack
  • Susceptibility to brute force attacks aimed at retrieving passwords or tokens
  • Any activity that could lead to the disruption of our service (DoS).
  • Ability to spam LINE users arbitrarily with spam messages
  • Ability to change a password without confirmation of the previous password on LINE app
  • Session fixation
  • Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes
  • Login/logout CSRF
  • Attack requiring physical access to a user's device or using a rooted device
  • Missing security header(s)
  • Script executions that do not affect Users
  • Vulnerabilities attributable to out-of-date browsers or platforms
  • Content related to auto fill web forms
  • Absence of secure flag attribute for non-critical cookies
  • Unsafe SSL/TLS cipher suites or protocol version
  • Accessibility of profile photos, Timeline photos, etc. by anyone via URL
  • Vulnerability attributable to virtual phone number
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
  • Reporting that an unauthorized HTTP method can be used
  • Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record
  • Credit card or payment platform reimbursement features
  • Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.
  • Vulnerabilities only affecting a single browser or a single version only
  • Username/e-mail enumeration only
  • Exposure of API keys with no security impact (Google Maps API keys etc.)

Eligibility Requirements

  • Be at least 16 years of age.
  • Not be an employee of the Company or an affiliated company
  • Not be an entity or part of an entity that had carried out or is carrying out a project that is being advanced with the Company

In order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines __, LINE Corporation is required to perform Hacker screening before issuing bounty payments. In addition, all bounty payments are subject to tax withholding at the source. If you are not a Japanese resident, you can apply for tax reduction or exemption as described in the Withholding Tax section below.

Hackers need to provide additional information for anti-social forces screening and tax processing only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s Terms of Use __.

In order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below:

  1. (REQUIRED): Anti-social forces screening: Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.
    • *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name
  2. (RECOMMENDED) Income tax convention form submission: Fill out and submit the APPLICATION FORM FOR INCOME TAX CONVENTION (JP: 租税条約に関する届出書; hereafter referred to as 'Tax Form') next, to ensure maximum bounty payout (refer to the entire Withholding Tax section for details).

LINE will reach out to you and confirm the bounty payout, once the payment is ready to be issued.


Withholding Tax

LINE Corporation will pay out your bounty, after withholding the tax rate applicable for your country of residence.

For example, if you are a resident of Singapore and are awarded a $1,000 bounty, your tax rate is 10%, and the final bounty payout will be $900 after taxes. For a full list of countries and their respective tax rates, please refer to Applicable Tax Rates section below.

Applicable Tax Rates

If you are a Japanese resident, a tax rate of 10.21% will be withheld. You will not need to submit the Tax form.

If you are not a Japanese resident and do not fill out the Tax Form, a fixed rate of 20.42% will be withheld from the awarded bounty.

If you fill out and submit the Tax Form (and any additional documents, if required), the effective tax rate depends on your country of residence. A list of countries and their applicable tax rates is given below for your reference. Note that tax rates are subject to change and that this list is not authoritative.

List of countries and applicable tax rates: {F518203}

Withholding Tax Exemption or Reduction

Note that these procedures are independent from HackerOne's Tax Form (W9).

If you are a Japanese resident, you are not eligible for tax reduction or exemption.

If you are not a Japanese resident, you may be eligible for tax exemption or reduction, if your country of residence has a tax agreement with Japan. See Japan's Tax Convention Network __for details.

To apply for tax exemption or reduction, please submit the provided Tax Form. Any tax reduction or exemption you are eligible for will be applied after the form is processed by Japanese tax authorities.

If you are a resident of any of the countries listed below, proof of residency is also required.

  • Australia
  • Austria
  • Czech Republic
  • Denmark
  • France
  • Germany
  • Hungary
  • Poland
  • Slovakia
  • Sri Lanka
  • Sweden
  • Switzerland
  • Turkey
  • United Kingdom
  • United States (Form 6166 __)

Tax Form

You can download the Tax From and reference samples below. Note the format is different if you are a resident of Taiwan (ROC).

  • Tax Form (all countries): {F515592}
    • sample: {F515593}
  • Tax Form (Taiwan): {F517691}
    • sample: {F517692}

NOTE:
For countries eligible for tax exemption (tax rate 0%) the Tax Form has an expiration date. The expiration date is 3 years from the submission date (tax office stamp date).

There is no Tax Form expiration date, if your country is not eligible for tax exemption (tax rate > 0%).

Instructions for Filling out the Tax Form

Please follow these instructions to ensure smooth withholding tax processing and bounty payout.

  • Print out the Tax Form, fill out the required information, and sign the document. Make sure to use a pen that uses blue or black ink.
  • Your full name, address, date of birth and phone number (with country code) should match the information you provided us for Anti-Social Forces screening.
  • Mail the tax form to LINE Corporation’s office via post. The address is below:

Attn: Person in charge of LINE Security Bug Bounty Program
Security Center, LINE Corporation
21st floor JR Shinjuku Miraina Tower, 4-1-6 Shinjuku, Shinjuku Ward,
Tokyo 160-0021


Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Our complete Terms Of Use page can be found here:
https://bugbounty.linecorp.com/en/terms_of_use/ __

Thank you for helping keep LINE Corporation and our users safe

In Scope

Scope Type Scope Name
android_application

jp.naver.line.android

android_application

Google Play Store __

web_application

*.line-apps.com

web_application

store.line.me

web_application

news.line.me

web_application

music.line.me

web_application

live.line.me

web_application

*.line.naver.jp

web_application

*.line.me

web_application

Apple Mac App Store __

web_application

Apple App Store __

web_application

Microsoft Windows Store __

web_application

Microsoft Windows Store __ Please make sure you are testing the latest version. Only the latest version is considered in scope.

web_application

https://chrome.google.com/webstore/detail/line/ophjlpahpchlmihnnnihgmmeilfjmjjc __

web_application

https://desktop.line-scdn.net/win/new/LineInst.exe __

Out of Scope

Scope Type Scope Name
other

Please refrain from testing any functionality that is related to financial transactions. This includes LINE Pay functionality within the LINE Application and Rabbit Pay for Thailand.

web_application

com.linecorp.linelite


This program have been found on Hackerone on 2019-11-16.

FireBounty © 2015-2019

Legal notices