Hello, this is Kazuhiro Kubota from the LINE Security Department. Last time we brought you the report for the first half of 2018. Today, I'd like to summarize the results of the LINE Security Bug Bounty program for 2018.
Number of reports in 2018
In 2018, a total of 88 reports qualified for the program. This figure is almost twice as many as the 45 cases in 2017. Indeed, we did expand our scope of the program from the previous year, 2017, but we think that this increase is attributed by the growing recognition of our Bug Bounty Program. Also, some of the reporters have submitted multiple reports.
Here is the summary of the reports we have received in 2018. The graph shows the total number of reports submitted per week and of those, the reports that qualify for the program. As you can see from the graph, we received at least one report every business day, and at least one qualifying report every week.
Vulnerability types
Most of the vulnerabilities that qualified for our Hall of Fame were of the 'Others' category, at 15 reports, followed closely by XSS at 14 reports. The Others category includes reports such as unrecoverable DoS attacks on the client and other high-impact composite vulnerabilities that were unable to be categorized.
We also rewarded those who have discovered vulnerabilities that allow a user to obtain personal information of other users through the LINE app. The types of vulnerabilities discovered by the qualifying reports are shown in the chart below. Note that the reports that were deemed as special contributions are not shown in this Hall of Fame chart.
As for the XSS category, vulnerabilities were recognized if they occurred within LINE's in-app Cordova Webview context. There was also an RCE (Remote Code Execution) discovered last year through a system call via template injection of an old service. We rewarded US$10,000 to the reporter.
A total of 33 hackers were recognized for their contributions and rewarded for a total of US$104,500.
In 2017, we only rewarded US$76,500 in bug bounties; however, we have managed to cross the 100 million yen mark (approximately US$905,000) this year.
Reward statistic
The number of participants in our Bug Bounty Program and the number of valid reports increased as the years went by.
Note. Some people were recognized as both a Hall of Fame recipient and a Special Contributor, so the number is inflated.
| 2018 | 2017 | 2016 | |
|---|---|---|---|
| Program Period | Whole year | Whole year | Jun 2-Dec 31 |
| Total number of reports | 302 | 212 | 97 |
| Qualified reports | 88 | 45 | 13 |
| Hall of Fame Recipients | 16 | 11 | 3 |
| Special Contributors | 19 | 21 | 8 |
| Bounty amount (USD) | $104,500 | $76,500 | $27,000 |
Renewal of the Reward Table
Up till now, we have been rewarding hackers based on the type of vulnerability reported. However, even within the same category, vulnerabilities can have varying severities and degrees of impact, so we decided to improve our reward system. The improved Reward Table aims to reward hackers based on the applications the vulnerabilities can affect, as well as what can be accomplished if they were to be exploited.
Examples are shown below.
| Category | Example | Reward (USD) | |
|---|---|---|---|
| Critical applications | Other applications | ||
| Remote Code Execution | Client-side or server-side vulnerabilities involving command injection | $30,000 | $10,000–$30,000 |
| Full access to file system or database | Using SSRF or SQL Injection and others to access arbitrary files or retrieve all data from a database | $10,000–$30,000 | $3,000–$10,000 |
| Account takeover | Authentication bypass involving acquiring users login information | $5,000–$10,000 | $5,000–$10,000 |
| Logic flaw bugs, information leaks, or bypassing significant security controls | Verification flaws such as IDOR, impersonation, triggering sensitive actions, purchase bypass | $5,000–$15,000 | $1,000–$5,000 |
| Execute code on the client | Cross-site scripting and other vulnerabilities occurring on application level | $1,500–$5,000 | $500–$1,500 |
| Other valid security vulnerabilities | CSRF, Clickjacking, information leakage etc. | $500–$10,000 | $500–$10,000 |
The table above shows some of the most common vulnerability categories with some differences. In a generic Bug Bounty, RCE (Remote Code Execution) refers to server-side code execution; however, at LINE we consider that if a vulnerability allows someone to hijack the LINE messenger app on iOS or Android, that would be recognized as RCE on the client-side and be granted an equally high bounty. Similarly for cross-site scripting (XSS) bugs, if it occurs on the LINE messenger app, it will be considered as a critical application vulnerability in the 'Execute code on client' category and granted a minimum of US$1,500 or more.
If you can find a vulnerability that allows you to hijack the LINE app, and where user-interaction does not affect the outcome, please submit it via the Bug Report form!
By the way, the table above is only for reference and does not necessarily guarantee the exact amount as a reward. For example, a bug affecting only one specific phone model would likely grant a lower bounty than stated.
Although the program-wide bounty increase is partially due to combining several categories into one, our methods of evaluation have not changed and we will be evaluating both new and old bugs under this new Reward Table.
New SWAG
Many of the reports we have received were out-of-scope for the bounty rewards, but those often provide us with useful information that have helped us better our applications. We have been giving out T-shirts as a 'thank you' reward to those people, as well as those with qualifying reports up till now.
But from today, we are proud to announce the addition of YubiKey 5 as a part of our SWAG! Both FIDO2 and NFC are supported.
As of February 2019, we are planning to send an email to our valuable hackers who have received a complete set of our T-shirt collection over multiple reports and thank them again for their continued service with our brand new swag.
Stay tuned!
Lastly
A big THANK YOU to everyone who participated in our Bug Bounty Program last year. We hope that you will continue bug hunting this year too, to make a better and safer environment for all LINE users. If you enjoy looking for vulnerabilities in the various LINE applications and services, as well as participate in our Bug Bounty operations, we want you!
- Security Engineer (Vulnerability Analysis)【Open to Everyone】 - Japan
- Infra security engineer - Korea
- Security engineer - Taiwan