LINE Engineering
Blog

Results From First half of 2017 LINE Security Bug Bounty Program

Lee Myeongjae 2017.08.07

He is a security engineer at LINE.

Scope Expansion

Hi you all, this is MJ (Myoungjae Lee), in charge of security at LINE. I am back with a report on running the LINE Security Bug Bounty Program for the first half of 2017. For those of you who are new to this program, the purpose of this program is to provide LINE users the most secure service possible by letting external security researchers submit bug (vulnerability) reports which we would then immediately fix. Since our official launch of the program on June 2, 2016, we have expanded the program scope to include the following:

  • LINE: Chrome version and Windows 10 Mobile version
  • Website: LINE STORE, LINE NEWS, LINE MUSIC, and LINE LIVE
  • For those of you who are interested, check the press release on the program scope expansion.

    Here are a few links for you to catch a glimpse of the program:

    Bug report form: https://bugbounty.linecorp.com/apply/

    Terms of use: https://bugbounty.linecorp.com/en/terms_of_use/

    FAQ: https://bugbounty.linecorp.com/en/faq/

    Bug reports

    During the first half of this year, a total of 96 bug reports have been filed. The following charts show you the weekly bug report submissions and the types of bugs reported during this period.
    • Number of bug reports before scope expansion (January 1–April 9): 40
    • Number of bug reports after scope expansion (April 10–June 30): 56

    Visits per country

    We received a total of 96 reports, 7 reports from Japan and the rest from Korea and other countries. As you can see from the following chart, countries other than Japan, including Thailand, Taiwan, Indonesia, have showed a considerable amount of interest in this program. As LINE continues to grow globally, we're also seeing an increased interest in the LINE Security Bug Bounty Program.

    Evaluating bug reports

    Submitted bug reports are processed in two stages. As I have covered the process in my previous post, reports have to pass both the first and second evaluations to be acknowledged as vulnerabilities. Once a bug report passes the evaluation process, we give out reward (bounty) to the bug reporter, and we add the reporter and the category of the vulnerability onto our Hall of Fame, which is open to public.

    The following diagram describes the steps of the evaluation process.

    Each step of the process is as follows:

    1st ACCEPT: The bug is accepted for further evaluation.
    1st REJECT: The bug is rejected for further evaluation.
    2nd ACCEPT: A detailed investigation has been conducted and the bug is recognized as a vulnerability.
    2nd REJECT: A detailed investigation has been conducted and the bug is not recognized as a vulnerability.
    COMPLETE: Reward for the bug report has been paid out.

    Program Result

    During the first half of 2017, 20 bug reports, including XSS (Cross-Site Scripting) and CSRF (Cross-Site Request Forgery), have been acknowledged as vulnerabilities. Check the program result at the Hall of Fame. Updates to the Hall of Fame can be found on this page.

    A total of 29,000 USD has been given out as rewards in the first half of 2017. You can see the rewards given out per country as shown below.

    Among the bugs that could not qualify for the program, we gave out rewards to the ones that contributed greatly to an increased level of security for LINE services. We announced 11 people as special contributors for the first half of 2017.

    Rewards

    Reward Stats so far

    2015 (Trial) 2016 (Official launch) 2017 (Program scope expansion)
    Operation Period Aug 24–Sep 23 Jun 2–Dec 31 Jan 1–Jun 30
    Bug Reports 194 (Japan: 89, Others: 105) 97 (Japan: 15, Others: 82) 96 (Japan: 7, Others: 89)
    Rewarded Bugs 14 13 20
    hall of fame 8 3 3
    special contributors 9 8 11
    Total Rewards USD 44,000 USD 27,000 USD 29,000

    Reward Process

    The following is the reward process for acknowledged bug reports:

    1. A reporter submits a bug report.
    2. LINE starts evaluating the bug.
    3. If the bug is acknowledged, LINE provides a reward payment guide to the reporter.
    4. The reporter agrees to the reward.
    5. The reporter submits information required to receive the reward.
    6. LINE checks the submitted information and documents.
    7. LINE pays the reward to the reporter.

    For detailed information on the reward process, see the Q12 on the FAQ. For your information, the average time took to actual payment from the point of reward guidance was 52 days, in the first half of 2017.

    Ending Notes

    Thanks to your interest and reports you made, we were able to discover and fix bugs in advance. All the acknowledged bugs have been fixed, allowing LINE users to enjoy even more secure services.

    As introduced earlier, we have expanded the program scope in accordance with LINE's service expansion. We will continue to expand and develop the LINE Security Bug Bounty Program to further reduce the security risks at LINE.

    Feel free to report vulnerabilities at the LINE Security Bug Bounty Program site. Your participation is always appreciated.

    If you are interested in the program history, check out the previous posts on the program:

LINE-Bug-Bounty Bug-Bounty

Lee Myeongjae 2017.08.07

He is a security engineer at LINE.

Add this entry to Hatena bookmark

Back to blog list