Hi you all, this is MJ (Myoungjae Lee), in charge of security at LINE. I am back with a report on running the LINE Security Bug Bounty Program for the first half of 2017. For those of you who are new to this program, the purpose of this program is to provide LINE users the most secure service possible by letting external security researchers submit bug (vulnerability) reports which we would then immediately fix. Since our official launch of the program on June 2, 2016, we have expanded the program scope to include the following:
- LINE: Chrome version and Windows 10 Mobile version
- Website: LINE STORE, LINE NEWS, LINE MUSIC, and LINE LIVE
- Number of bug reports before scope expansion (January 1–April 9): 40
- Number of bug reports after scope expansion (April 10–June 30): 56
For those of you who are interested, check the press release on the program scope expansion.
Here are a few links for you to catch a glimpse of the program:
Bug report form: https://bugbounty.linecorp.com/apply/
During the first half of this year, a total of 96 bug reports have been filed. The following charts show you the weekly bug report submissions and the types of bugs reported during this period.
Visits per country
We received a total of 96 reports, 7 reports from Japan and the rest from Korea and other countries. As you can see from the following chart, countries other than Japan, including Thailand, Taiwan, Indonesia, have showed a considerable amount of interest in this program. As LINE continues to grow globally, we’re also seeing an increased interest in the LINE Security Bug Bounty Program.
Evaluating bug reports
Submitted bug reports are processed in two stages. As I have covered the process in my previous post, reports have to pass both the first and second evaluations to be acknowledged as vulnerabilities. Once a bug report passes the evaluation process, we give out reward (bounty) to the bug reporter, and we add the reporter and the category of the vulnerability onto our Hall of Fame, which is open to public.
The following diagram describes the steps of the evaluation process.
Each step of the process is as follows:
1st ACCEPT: The bug is accepted for further evaluation.
1st REJECT: The bug is rejected for further evaluation.
2nd ACCEPT: A detailed investigation has been conducted and the bug is recognized as a vulnerability.
2nd REJECT: A detailed investigation has been conducted and the bug is not recognized as a vulnerability.
COMPLETE: Reward for the bug report has been paid out.
During the first half of 2017, 20 bug reports, including XSS (Cross-Site Scripting) and CSRF (Cross-Site Request Forgery), have been acknowledged as vulnerabilities. Check the program result at the Hall of Fame. Updates to the Hall of Fame can be found on this page.
A total of 29,000 USD has been given out as rewards in the first half of 2017. You can see the rewards given out per country as shown below.
Among the bugs that could not qualify for the program, we gave out rewards to the ones that contributed greatly to an increased level of security for LINE services. We announced 11 people as special contributors for the first half of 2017.
Reward Stats so far
(Program scope expansion)
|Operation Period||Aug 24–Sep 23||Jun 2–Dec 31||Jan 1–Jun 30|
(Japan: 89, Others: 105)
(Japan: 15, Others: 82)
(Japan: 7, Others: 89)
|hall of fame||8||3||3|
|Total Rewards||USD 44,000||USD 27,000||USD 29,000|
The following is the reward process for acknowledged bug reports:
1. A reporter submits a bug report.
2. LINE starts evaluating the bug.
3. If the bug is acknowledged, LINE provides a reward payment guide to the reporter.
4. The reporter agrees to the reward.
5. The reporter submits information required to receive the reward.
6. LINE checks the submitted information and documents.
7. LINE pays the reward to the reporter.
For detailed information on the reward process, see the Q12 on the FAQ. For your information, the average time took to actual payment from the point of reward guidance was 52 days, in the first half of 2017.
Thanks to your interest and reports you made, we were able to discover and fix bugs in advance. All the acknowledged bugs have been fixed, allowing LINE users to enjoy even more secure services.
As introduced earlier, we have expanded the program scope in accordance with LINE’s service expansion. We will continue to expand and develop the LINE Security Bug Bounty Program to further reduce the security risks at LINE.
Feel free to report vulnerabilities at the LINE Security Bug Bounty Program site. Your participation is always appreciated.
If you are interested in the program history, check out the previous posts on the program: