45466 policies in database
Link to program      
2019-11-16
2020-01-18
LINE logo
Thank
Gift
HOF
Reward

Reward

LINE

LINE Bug Bounty rules at a glance

The LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy:

  • The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See Scope for more details

  • Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See Program Rules for more details

  • Act in good faith

  • Do not adversely affect our users

  • The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details

  • All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LINE will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LINE will be covering.

The purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service.

To compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules.

Please view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.


Response Targets

LINE Corporation will make a best effort to meet the following response targets for hackers participating in our program:

  • Time to triage (from report submit) - 5 business days

  • Time to bounty decision (from report submit) - 15 business days

  • Time to issue resolved (from report submit) - 31 business days

*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the Eligibility Requirements section for details.

We will do our best to keep you informed about our progress throughout the process.


Disclosure Policy

  • Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company').

  • Follow HackerOne's disclosure guidelines.

  • Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.

  • The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.

  • In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.

  • Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.


Program Rules

Please ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

  • Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.

  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.

  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

  • Do not use automated vulnerability scanners to launch attacks against LINE's systems

  • Do not use a discovered vulnerability to view, delete, alter, or publish user data

  • With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LINE in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.

  • Disclosure, leaking and publication of any personal information accessed is also prohibited.

  • Be able to communicate in Japanese or English

  • Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program.

  • In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check.


Eligibility Requirements

  • Be at least 16 years of age.

  • Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months

  • Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company

  • Not be a member of an anti-social group or a related party thereof

In order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LINE Corporation is required to perform Hacker screening before issuing bounty payments. If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:

  • You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country. If you want to complete this process, please state so clearly in the report or as a comment to the report.

Hackers need to provide additional information for anti-social forces screening only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s Terms of Use.

In order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below:

  1. (REQUIRED): Anti-social forces screening: Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.

    • *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name

In-Scope Assets

| |Tier A Assets | | Tier B Assets | |

|-|-------------------------------| -|-|-|

| | LINE Messenger - Chat || *.line.me |

| | LINE Messenger - VoIP || *.line.biz |

| | LINE Messenger - VOOM || *.line-apps.com |

| | LINE Messenger – Keep || *.line.naver.jp |

| | LINE Messenger – OpenChat ||

| | LINE Messenger – News ||

| | LINE Messenger - Applications * |

* LINE Messenger Applications in scope (Tier A)

> - Windows: Microsoft Store Executable

  • macOS

  • iOS

  • Android

  • Lite

  • Chrome Extension


Test Accounts

We do not provide test accounts.

Please use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.

Do not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.


SSRF Testing

LINE has created an internal service for easier testing of SSRF on our assets. It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.

IMPORTANT NOTES

  • Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.

  • Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.

Usage:

  • On port 80 and 8080 it accepts any data over a raw socket (any protocol)

  • On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)

It can be reached through the following domain names and IPs, to test different conditions:

  • ssrf-pub.line-dev.me (Public IP)

  • bb.line-dev.me (Private IP)

  • ssrf.line-dev.me (Private IP)

  • 10.231.191.161 (Private IP)

  • 147.92.156.240 (Public IP)

It also supports the following formats:

  • png

  • jpg

  • jpeg

  • gif

  • js

  • htm

  • html

If accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint. Examples-

  • Header:

    • X-HackerOne: MyUserName
  • Parameter:

    • ?Hackerone=MyUserName

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope:

  • Vulnerability as-is after detection using an automated scanner

  • Hypothetical or theoretical vulnerabilities without actual verification code

  • Susceptibility to brute force attacks aimed at retrieving passwords or tokens

  • Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)

  • Cache-Poisoned Denial-of-Service

  • Ability to spam LINE users arbitrarily with spam messages

  • Ability to change a password without confirmation of the previous password on LINE app

  • Session fixation

  • Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes

  • Login/logout CSRF

  • Attack requiring physical access to a user's device or using a rooted device

  • Missing security header(s)

  • Script executions that do not affect Users

  • Vulnerabilities attributable to out-of-date browsers or platforms

  • Content related to auto fill web forms

  • Absence of secure flag attribute for non-critical cookies

  • Unsafe SSL/TLS cipher suites or protocol version

  • Accessibility of profile photos, VOOM photos, etc. by anyone via URL

  • Vulnerability attributable to virtual phone number

  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).

  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

  • Reporting that an unauthorized HTTP method can be used

  • Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record

  • Credit card or payment platform reimbursement features

  • Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.

  • Vulnerabilities only affecting a single browser or a single version only

  • Username/e-mail enumeration only

  • Exposure or lack of security controls on Google Maps API keys

  • Exposure of API keys with no security impact

  • Subdomain takeover reports with CNAME records regarding the livedoor.jp domain without proof of concept

  • Broken link hijacking (social media account etc)

    • You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty
  • Status monitoring page with no disclosure of sensitive data (eg: apache server status and internal metrics)

    • You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Our complete Terms Of Use page can be found here:

https://bugbounty.linecorp.com/en/terms_of_use/

Thank you for helping keep LINE Corporation and our users safe


LINE’s Hall of Fame

Having run LINE’s very own Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.

For a list of bugs reviewed by the LINE team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.

In Scope

Scope Type Scope Name
android_application

jp.naver.line.android

android_application

com.linecorp.linelite

application

Windows Executable

ios_application

443904275

ios_application

539883307

mobile_applications

9wzdncrfj2g6

other

Chrome Extension

other

LINE Messenger - Keep

other

LINE Messenger - VoIP

other

LINE Messenger - Chat

other

LINE Messenger - News

other

Other Assets

other

LINE Messenger - OpenChat

other

LINE Messenger - VOOM

web_application

*.line-apps.com

web_application

*.line.naver.jp

web_application

*.line.me

web_application

*.line.biz

Out of Scope

Scope Type Scope Name
other

LINE Pay

web_application

https://prod-fido-fido2-server.line-apps.com/

web_application

*nvapis.line.me


This program have been found on Hackerone on 2019-11-16.

FireBounty © 2015-2024

Legal notices | Privacy policy