LINE Security Bug Bounty Program Report 2018

Hello, this is Kazuhiro Kubota from the LINE Security Department. Last time we brought you the report for the first half of 2018. Today, I’d like to summarize the results of the LINE Security Bug Bounty program for 2018.

Number of reports in 2018

In 2018, a total of 88 reports qualified for the program. This figure is almost twice as many as the 45 cases in 2017. Indeed, we did expand our scope of the program from the previous year, 2017, but we think that this increase is attributed by the growing recognition of our Bug Bounty Program. Also, some of the reporters have submitted multiple reports.

Here is the summary of the reports we have received in 2018. The graph shows the total number of reports submitted per week and of those, the reports that qualify for the program. As you can see from the graph, we received at least one report every business day, and at least one qualifying report every week.

Vulnerability types

Most of the vulnerabilities that qualified for our Hall of Fame were of the ‘Others’ category, at 15 reports, followed closely by XSS at 14 reports. The Others category includes reports such as unrecoverable DoS attacks on the client and other high-impact composite vulnerabilities that were unable to be categorized.

We also rewarded those who have discovered vulnerabilities that allow a user to obtain personal information of other users through the LINE app. The types of vulnerabilities discovered by the qualifying reports are shown in the chart below. Note that the reports that were deemed as special contributions are not shown in this Hall of Fame chart.

As for the XSS category, vulnerabilities were recognized if they occurred within LINE’s in-app Cordova Webview context. There was also an RCE (Remote Code Execution) discovered last year through a system call via template injection of an old service. We rewarded US$10,000 to the reporter.

A total of 33 hackers were recognized for their contributions and rewarded for a total of US$104,500.

In 2017, we only rewarded US$76,500 in bug bounties; however, we have managed to cross the 100 million yen mark (approximately US$905,000) this year.

Reward statistic

The number of participants in our Bug Bounty Program and the number of valid reports increased as the years went by.

Note. Some people were recognized as both a Hall of Fame recipient and a Special Contributor, so the number is inflated.


201820172016
Program PeriodWhole yearWhole yearJun 2-Dec 31
Total number of reports30221297
Qualified reports884513
Hall of Fame Recipients16113
Special Contributors19218
Bounty amount (USD)$104,500 $76,500$27,000

Renewal of the Reward Table

Up till now, we have been rewarding hackers based on the type of vulnerability reported. However, even within the same category, vulnerabilities can have varying severities and degrees of impact, so we decided to improve our reward system. The improved Reward Table aims to reward hackers based on the applications the vulnerabilities can affect, as well as what can be accomplished if they were to be exploited.

Examples are shown below.

CategoryExampleReward (USD)
Critical applicationsOther applications
Remote Code ExecutionClient-side or server-side vulnerabilities involving command injection$30,000$10,000–$30,000
Full access to file system or databaseUsing SSRF or SQL Injection and others to access arbitrary files or retrieve all data from a database$10,000–$30,000$3,000–$10,000
Account takeoverAuthentication bypass involving acquiring users login information$5,000–$10,000$5,000–$10,000
Logic flaw bugs, information leaks, or bypassing significant security controlsVerification flaws such as IDOR, impersonation, triggering sensitive actions, purchase bypass$5,000–$15,000$1,000–$5,000
Execute code on the clientCross-site scripting and other vulnerabilities occurring on application level$1,500–$5,000$500–$1,500
Other valid security vulnerabilitiesCSRF, Clickjacking, information leakage etc.$500–$10,000$500–$10,000

The table above shows some of the most common vulnerability categories with some differences. In a generic Bug Bounty, RCE (Remote Code Execution) refers to server-side code execution; however, at LINE we consider that if a vulnerability allows someone to hijack the LINE messenger app on iOS or Android, that would be recognized as RCE on the client-side and be granted an equally high bounty. Similarly for cross-site scripting (XSS) bugs, if it occurs on the LINE messenger app, it will be considered as a critical application vulnerability in the ‘Execute code on client’ category and granted a minimum of US$1,500 or more.

If you can find a vulnerability that allows you to hijack the LINE app, and where user-interaction does not affect the outcome, please submit it via the Bug Report form

By the way, the table above is only for reference and does not necessarily guarantee the exact amount as a reward. For example, a bug affecting only one specific phone model would likely grant a lower bounty than stated. 

Although the program-wide bounty increase is partially due to combining several categories into one, our methods of evaluation have not changed and we will be evaluating both new and old bugs under this new Reward Table.

New SWAG

Many of the reports we have received were out-of-scope for the bounty rewards, but those often provide us with useful information that have helped us better our applications. We have been giving out T-shirts as a ‘thank you’ reward to those people, as well as those with qualifying reports up till now.

But from today, we are proud to announce the addition of YubiKey 5 as a part of our SWAG! Both FIDO2 and NFC are supported.

As of February 2019, we are planning to send an email to our valuable hackers who have received a complete set of our T-shirt collection over multiple reports and thank them again for their continued service with our brand new swag.

Stay tuned!

Lastly

A big THANK YOU to everyone who participated in our Bug Bounty Program last year. We hope that you will continue bug hunting this year too, to make a better and safer environment for all LINE users. If you enjoy looking for vulnerabilities in the various LINE applications and services, as well as participate in our Bug Bounty operations, we want you!

Related Post