[{"id":3767415,"new_policy":"# Vulnerabilities Excluded From Scope\nVulnerabilities that we judge as likely to fall under any of the categories below are considered out of scope for this program.\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Cache-Poisoned Denial-of-Service\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\nAbsence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for non-critical cookies\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, VOOM photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record, DNSSEC records\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain without proof of concept\n* Broken link hijacking (social media account etc)\n* Status monitoring page with no disclosure of sensitive data (eg: apache server status and internal metrics)\n* HTTP Request Smuggling (HRS) and related desynchronization attacks\n\n# Prohibited Activities\nThe following activities are prohibited.\n* Port scanning. Please conduct vulnerability testing only on ports 80 and 443.\n* Using automated vulnerability scanners to attack our systems\n* Performing DoS attacks or any actions that place excessive load on our services\n* Physically attacking our assets or data centers\n* Conducting social engineering (phishing, vishing, smishing, etc.)\n* Sending a vulnerability report that includes a third party’s personal data without obtaining their prior consent\n* Any activity that harms our customers, employees, partners, or the provision of our services\n* Carrying out or promoting fraudulent transactions (such as unauthorized billing or product shipment manipulation)\n* Extracting, modifying, destroying, or disclosing to third parties any information about our customers, partners, or employees, or any trade secrets of us or our partners, beyond what is necessary for vulnerability reporting\n* If we determine that your actions violate or may violate our Terms of Use or these guidelines, or are otherwise inappropriate, we may take necessary measures such as blocking communication or suspending accounts.\n\n# Notes\n* Reporters must not disclose or leak to third parties any information related to vulnerabilities, or information obtained by exploiting vulnerabilities, without our prior written consent.\n* If a reporter obtains personal data of our customers, partners, or employees, or trade secrets of us or our partners in connection with a vulnerability report, the reporter must promptly delete such information (including logs, etc.) from all systems and devices they use.\n* Please do not include personal data of yourself or any third party in your vulnerability report.\n* Handling of submitted information\n* To take necessary measures based on your vulnerability report, we may share the content of the report with third parties such as system providers.\n* We pay maximum attention to security in order to safely manage the information collected from reporters.\n\n# Legal Matters (Safe Harbor)\nActivities conducted in accordance with these guidelines are regarded as authorized by us, unless their purpose or manner is improper, and we will not take legal action against reporters for such activities. If a third party takes legal action against a reporter in connection with activities performed under these guidelines, we will take steps, as appropriate, to clarify that the reporter’s actions were carried out in accordance with these guidelines and consider other necessary measures.\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"# ==Temporary Suspension of LINE Security Bug Bounty Program==\n# We would like to inform you that we temporarily suspended this program on December 3, 2025, to review and improve the program's content and structure.\n# We will continue to accept vulnerability reports by email at ml-bug-report@lycorp.co.jp\n# Note: No reward will be paid under this program for reports submitted on or after the suspension date.\n\nPrivacy notice: The reporter’s email address will be used only to confirm receipt of and coordinate on the report. Please avoid including personal information beyond what is necessary.\n\nReporting Method: ml-bug-report@lycorp.co.jp\n\nBefore reporting, please review LY Corporation’s Terms of Use (https://www.lycorp.co.jp/en/company/terms/) and Privacy Policy (https://www.lycorp.co.jp/en/company/privacypolicy/).\nPlease note that all reports submitted before the suspension date will be handled according to the program terms in effect at the time of submission.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2025-12-16T04:48:02.313Z"},{"id":3766889,"new_policy":"# Vulnerabilities Excluded From Scope\nVulnerabilities that we judge as likely to fall under any of the categories below are considered out of scope for this program.\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Cache-Poisoned Denial-of-Service\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\nAbsence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for non-critical cookies\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, VOOM photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record, DNSSEC records\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain without proof of concept\n* Broken link hijacking (social media account etc)\n* Status monitoring page with no disclosure of sensitive data (eg: apache server status and internal metrics)\n* HTTP Request Smuggling (HRS) and related desynchronization attacks\n\n# Prohibited Activities\nThe following activities are prohibited.\n* Port scanning. Please conduct vulnerability testing only on ports 80 and 443.\n* Using automated vulnerability scanners to attack our systems\n* Performing DoS attacks or any actions that place excessive load on our services\n* Physically attacking our assets or data centers\n* Conducting social engineering (phishing, vishing, smishing, etc.)\n* Sending a vulnerability report that includes a third party’s personal data without obtaining their prior consent\n* Any activity that harms our customers, employees, partners, or the provision of our services\n* Carrying out or promoting fraudulent transactions (such as unauthorized billing or product shipment manipulation)\n* Extracting, modifying, destroying, or disclosing to third parties any information about our customers, partners, or employees, or any trade secrets of us or our partners, beyond what is necessary for vulnerability reporting\n* If we determine that your actions violate or may violate our Terms of Use or these guidelines, or are otherwise inappropriate, we may take necessary measures such as blocking communication or suspending accounts.\n\n# Notes\n* Reporters must not disclose or leak to third parties any information related to vulnerabilities, or information obtained by exploiting vulnerabilities, without our prior written consent.\n* If a reporter obtains personal data of our customers, partners, or employees, or trade secrets of us or our partners in connection with a vulnerability report, the reporter must promptly delete such information (including logs, etc.) from all systems and devices they use.\n* Please do not include personal data of yourself or any third party in your vulnerability report.\n* Handling of submitted information\n* To take necessary measures based on your vulnerability report, we may share the content of the report with third parties such as system providers.\n* We pay maximum attention to security in order to safely manage the information collected from reporters.\n\n# Legal Matters (Safe Harbor)\nActivities conducted in accordance with these guidelines are regarded as authorized by us, unless their purpose or manner is improper, and we will not take legal action against reporters for such activities. If a third party takes legal action against a reporter in connection with activities performed under these guidelines, we will take steps, as appropriate, to clarify that the reporter’s actions were carried out in accordance with these guidelines and consider other necessary measures.\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"# ==Temporary Suspension of LINE Security Bug Bounty Program==\n# We would like to inform you that we temporarily suspended this program on December 3, 2025, to review and improve the program's content and structure.\n# We will continue to accept vulnerability reports by email at ml-bug-report@lycorp.co.jp\n\nPrivacy notice: The reporter’s email address will be used only to confirm receipt of and coordinate on the report. Please avoid including personal information beyond what is necessary.\n\nReporting Method: ml-bug-report@lycorp.co.jp\n\nBefore reporting, please review LY Corporation’s Terms of Use (https://www.lycorp.co.jp/en/company/terms/) and Privacy Policy (https://www.lycorp.co.jp/en/company/privacypolicy/).\nPlease note that all reports submitted before the suspension date will be handled according to the program terms in effect at the time of submission.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2025-12-03T02:00:15.537Z"},{"id":3766714,"new_policy":"# LINE Security Bug Bounty rules at a glance\n\nThe LINE Security Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LY Corporation will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LY Corporation will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE app and LY Corporation's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LY Corporation offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLY Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LY Corporation's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LY Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LY Corporation's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LY Corporation in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LY Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers must provide additional information for anti-social forces screening each time they are awarded a bounty. LY Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LY Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LY Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# In-Scope Assets\n\n| |Tier A Assets                        | | Tier B Assets |  | \n|-|-------------------------------| -|-|-| \n| | LINE - Talk ||  `*.line.me` | \n| | LINE  - VoIP ||   `*.line.biz` |\n| | LINE  - LINE VOOM || `*.line-apps.com` | \n| | LINE – Keep || `*.line.naver.jp` | \n| | LINE – LINE OpenChat || \n| | LINE – LINE NEWS || \n| | LINE - Applications **\\*** | \n\n_\\* **LINE Applications in scope (Tier A)**_\n\u003e - Windows: Microsoft Store Executable\n- macOS\n- iOS\n- Android\n- Lite\n- Chrome Extension \n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LY Corporation has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n* jpg\n* jpeg\n* gif\n* js\n* htm\n* html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Cache-Poisoned Denial-of-Service\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, VOOM photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record, DNSSEC records\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n* Broken link hijacking (social media account etc)\n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n* Status monitoring page with no disclosure of sensitive data (eg: apache server status and internal metrics) \n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n* HTTP Request Smuggling (HRS) and related desynchronization attacks\n\n\n----\n# Yahoo Japan VRP(Vulnerability Report Program) \nIn case of reporting vulnerability for Yahoo Japan services To improve the security level of Yahoo Japan services, Yahoo Japan VRP(Vulnerability Report Program) is receiving vulnerability report from users. If you want to submit vulnerability report to Yahoo VRP, please click the link below. \n**Note : For Yahoo Japan VRP, it is not a bug bounty program, therefore Yahoo Japan VRP will not be rewarding bounties for any vulnerabilities reported.**\n* Yahoo Japan VRP page: https://support.yahoo-net.jp/form/s/dirvrp\n* ref) https://security.yahoo.co.jp/vulnerability-report.html\n\u0026nbsp;\n \u0026nbsp;\n\n\n----\n# ==Additional Notes==\nAny assets that are not managed by LY Corporation and any LINE domains/sub-domains developed by third-party vendors will be carefully scrutinised. A bounty or reward may only be considered on a case-by-case basis for assets developed/managed by 3rd party vendors (types of SaaS or solution products) even for technical vulnerabilities occurring in the LINE domain and depending on the privacy and business impact\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LY Corporation and our users safe \n\n----\n\n## LY Corporation’s Hall of Fame\nHaving run LY Corporation’s very own LINE Security Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LY Corporation team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"# ==Temporary suspension of LINE Bug Bounty Program Notice - \u003chttps://hackerone.com/line/updates\u003e==\n# Testing Precautions\nBefore testing services eligible for the LINE Security Bug Bounty Program, please review the Policy and Terms.\n * Out-of-scope: https://hackerone.com/line?type=team. Do not test these, as such reports will be deemed ineligible.\n * Testing that disrupts services or affects other users may result in disqualification from the program.\n * Accessing unrelated systems or collecting data is prohibited. If you verify a vulnerability, do not access other users' data or explore beyond the necessary system areas. Review the [Program Rules](https://hackerone.com/line?type=team).\n * Some cases may require internal log checks. Include your HackerOne ID in test packets, record your IP address (including VPN), and be prepared to provide it if requested.\n\n\n * **Header:**\n     * X-HackerOne: UserID\n * **Parameter:**\n     * ?Hackerone=UserID","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2025-12-01T02:23:14.535Z"},{"id":3765707,"new_policy":"# LINE Security Bug Bounty rules at a glance\n\nThe LINE Security Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LY Corporation will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LY Corporation will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE app and LY Corporation's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LY Corporation offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLY Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LY Corporation's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LY Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LY Corporation's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LY Corporation in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LY Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers must provide additional information for anti-social forces screening each time they are awarded a bounty. LY Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LY Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LY Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# In-Scope Assets\n\n| |Tier A Assets                        | | Tier B Assets |  | \n|-|-------------------------------| -|-|-| \n| | LINE - Talk ||  `*.line.me` | \n| | LINE  - VoIP ||   `*.line.biz` |\n| | LINE  - LINE VOOM || `*.line-apps.com` | \n| | LINE – Keep || `*.line.naver.jp` | \n| | LINE – LINE OpenChat || \n| | LINE – LINE NEWS || \n| | LINE - Applications **\\*** | \n\n_\\* **LINE Applications in scope (Tier A)**_\n\u003e - Windows: Microsoft Store Executable\n- macOS\n- iOS\n- Android\n- Lite\n- Chrome Extension \n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LY Corporation has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n* jpg\n* jpeg\n* gif\n* js\n* htm\n* html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Cache-Poisoned Denial-of-Service\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, VOOM photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record, DNSSEC records\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n* Broken link hijacking (social media account etc)\n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n* Status monitoring page with no disclosure of sensitive data (eg: apache server status and internal metrics) \n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n* HTTP Request Smuggling (HRS) and related desynchronization attacks\n\n\n----\n# Yahoo Japan VRP(Vulnerability Report Program) \nIn case of reporting vulnerability for Yahoo Japan services To improve the security level of Yahoo Japan services, Yahoo Japan VRP(Vulnerability Report Program) is receiving vulnerability report from users. If you want to submit vulnerability report to Yahoo VRP, please click the link below. \n**Note : For Yahoo Japan VRP, it is not a bug bounty program, therefore Yahoo Japan VRP will not be rewarding bounties for any vulnerabilities reported.**\n* Yahoo Japan VRP page: https://support.yahoo-net.jp/form/s/dirvrp\n* ref) https://security.yahoo.co.jp/vulnerability-report.html\n\u0026nbsp;\n \u0026nbsp;\n\n\n----\n# ==Additional Notes==\nAny assets that are not managed by LY Corporation and any LINE domains/sub-domains developed by third-party vendors will be carefully scrutinised. A bounty or reward may only be considered on a case-by-case basis for assets developed/managed by 3rd party vendors (types of SaaS or solution products) even for technical vulnerabilities occurring in the LINE domain and depending on the privacy and business impact\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LY Corporation and our users safe \n\n----\n\n## LY Corporation’s Hall of Fame\nHaving run LY Corporation’s very own LINE Security Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LY Corporation team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"# We invite you to report vulnerabilities in LINE services. Your findings help us protect millions and build a safer, more secure platform.\n# ==Testing Precautions==\nBefore testing services eligible for the LINE Security Bug Bounty Program, please review the Policy and Terms.\n * Out-of-scope: https://hackerone.com/line?type=team. Do not test these, as such reports will be deemed ineligible.\n * Testing that disrupts services or affects other users may result in disqualification from the program.\n * Accessing unrelated systems or collecting data is prohibited. If you verify a vulnerability, do not access other users' data or explore beyond the necessary system areas. Review the [Program Rules](https://hackerone.com/line?type=team).\n * Some cases may require internal log checks. Include your HackerOne ID in test packets, record your IP address (including VPN), and be prepared to provide it if requested.\n\n\n * **Header:**\n     * X-HackerOne: UserID\n * **Parameter:**\n     * ?Hackerone=UserID","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2025-11-07T08:48:30.439Z"},{"id":3757113,"new_policy":"# LINE Security Bug Bounty rules at a glance\n\nThe LINE Security Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LY Corporation will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LY Corporation will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE app and LY Corporation's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LY Corporation offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLY Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LY Corporation's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LY Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LY Corporation's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LY Corporation in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LY Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers must provide additional information for anti-social forces screening each time they are awarded a bounty. LY Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LY Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LY Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# In-Scope Assets\n\n| |Tier A Assets                        | | Tier B Assets |  | \n|-|-------------------------------| -|-|-| \n| | LINE - Talk ||  `*.line.me` | \n| | LINE  - VoIP ||   `*.line.biz` |\n| | LINE  - LINE VOOM || `*.line-apps.com` | \n| | LINE – Keep || `*.line.naver.jp` | \n| | LINE – LINE OpenChat || \n| | LINE – LINE NEWS || \n| | LINE - Applications **\\*** | \n\n_\\* **LINE Applications in scope (Tier A)**_\n\u003e - Windows: Microsoft Store Executable\n- macOS\n- iOS\n- Android\n- Lite\n- Chrome Extension \n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LY Corporation has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n* jpg\n* jpeg\n* gif\n* js\n* htm\n* html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Cache-Poisoned Denial-of-Service\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, VOOM photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record, DNSSEC records\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n* Broken link hijacking (social media account etc)\n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n* Status monitoring page with no disclosure of sensitive data (eg: apache server status and internal metrics) \n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n\n\n----\n# Yahoo Japan VRP(Vulnerability Report Program) \nIn case of reporting vulnerability for Yahoo Japan services To improve the security level of Yahoo Japan services, Yahoo Japan VRP(Vulnerability Report Program) is receiving vulnerability report from users. If you want to submit vulnerability report to Yahoo VRP, please click the link below. \n**Note : For Yahoo Japan VRP, it is not a bug bounty program, therefore Yahoo Japan VRP will not be rewarding bounties for any vulnerabilities reported.**\n* Yahoo Japan VRP page: https://support.yahoo-net.jp/form/s/dirvrp\n* ref) https://security.yahoo.co.jp/vulnerability-report.html\n\u0026nbsp;\n \u0026nbsp;\n\n\n----\n# ==Additional Notes==\nAny assets that are not managed by LY Corporation and any LINE domains/sub-domains developed by third-party vendors will be carefully scrutinised. A bounty or reward may only be considered on a case-by-case basis for assets developed/managed by 3rd party vendors (types of SaaS or solution products) even for technical vulnerabilities occurring in the LINE domain and depending on the privacy and business impact\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LY Corporation and our users safe \n\n----\n\n## LY Corporation’s Hall of Fame\nHaving run LY Corporation’s very own LINE Security Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LY Corporation team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"# We invite you to report vulnerabilities in LINE services. Your findings help us protect millions and build a safer, more secure platform.\n# ==Testing Precautions==\nBefore testing services eligible for the LINE Security Bug Bounty Program, please review the Policy and Terms.\n * Out-of-scope: https://hackerone.com/line?type=team. Do not test these, as such reports will be deemed ineligible.\n * Testing that disrupts services or affects other users may result in disqualification from the program.\n * Accessing unrelated systems or collecting data is prohibited. If you verify a vulnerability, do not access other users' data or explore beyond the necessary system areas. Review the [Program Rules](https://hackerone.com/line?type=team).\n * Some cases may require internal log checks. Include your HackerOne ID in test packets, record your IP address (including VPN), and be prepared to provide it if requested.\n\n\n * **Header:**\n     * X-HackerOne: UserID\n * **Parameter:**\n     * ?Hackerone=UserID","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2025-06-09T05:04:11.238Z"},{"id":3754449,"new_policy":"# LINE Security Bug Bounty rules at a glance\n\nThe LINE Security Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LY Corporation will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LY Corporation will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE app and LY Corporation's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LY Corporation offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLY Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LY Corporation's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LY Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LY Corporation's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LY Corporation in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LY Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers need to provide additional information for anti-social forces screening only once -- which is for the first awarded bounty. LY Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LY Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LY Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# In-Scope Assets\n\n| |Tier A Assets                        | | Tier B Assets |  | \n|-|-------------------------------| -|-|-| \n| | LINE - Talk ||  `*.line.me` | \n| | LINE  - VoIP ||   `*.line.biz` |\n| | LINE  - LINE VOOM || `*.line-apps.com` | \n| | LINE – Keep || `*.line.naver.jp` | \n| | LINE – LINE OpenChat || \n| | LINE – LINE NEWS || \n| | LINE - Applications **\\*** | \n\n_\\* **LINE Applications in scope (Tier A)**_\n\u003e - Windows: Microsoft Store Executable\n- macOS\n- iOS\n- Android\n- Lite\n- Chrome Extension \n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LY Corporation has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n* jpg\n* jpeg\n* gif\n* js\n* htm\n* html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Cache-Poisoned Denial-of-Service\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, VOOM photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record, DNSSEC records\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n* Broken link hijacking (social media account etc)\n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n* Status monitoring page with no disclosure of sensitive data (eg: apache server status and internal metrics) \n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n\n\n----\n# Yahoo Japan VRP(Vulnerability Report Program) \nIn case of reporting vulnerability for Yahoo Japan services To improve the security level of Yahoo Japan services, Yahoo Japan VRP(Vulnerability Report Program) is receiving vulnerability report from users. If you want to submit vulnerability report to Yahoo VRP, please click the link below. \n**Note : For Yahoo Japan VRP, it is not a bug bounty program, therefore Yahoo Japan VRP will not be rewarding bounties for any vulnerabilities reported.**\n* Yahoo Japan VRP page: https://support.yahoo-net.jp/form/s/dirvrp\n* ref) https://security.yahoo.co.jp/vulnerability-report.html\n\u0026nbsp;\n \u0026nbsp;\n\n\n----\n# ==Additional Notes==\nAny assets that are not managed by LY Corporation and any LINE domains/sub-domains developed by third-party vendors will be carefully scrutinised. A bounty or reward may only be considered on a case-by-case basis for assets developed/managed by 3rd party vendors (types of SaaS or solution products) even for technical vulnerabilities occurring in the LINE domain and depending on the privacy and business impact\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LY Corporation and our users safe \n\n----\n\n## LY Corporation’s Hall of Fame\nHaving run LY Corporation’s very own LINE Security Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LY Corporation team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"# We invite you to report vulnerabilities in LINE services. Your findings will help us protect millions and build a safer, more secure platform。\n\n# ==Testing Precautions==\nBefore testing services eligible for the LINE Security Bug Bounty Program, please familiarize yourself with the Policy and Terms.\n * Out-of-scope vulnerabilities are listed at the bottom of this page (https://hackerone.com/line?type=team). Please do not test these vulnerabilities as submissions related to them will not be eligible for bounties.\n    * Testing vulnerabilities that affect service operations or other users may result in disqualification from participating in the bug bounty program.\n* Some reports may require internal log investigations. Please include your HackerOne ID in the packet during testing as shown below. Additionally, record your IP (including IPs assigned via VPN) and be prepared to share it upon request.\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2025-04-28T07:35:18.520Z"},{"id":3753746,"new_policy":"# LINE Security Bug Bounty rules at a glance\n\nThe LINE Security Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LY Corporation will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LY Corporation will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE app and LY Corporation's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LY Corporation offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLY Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LY Corporation's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LY Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LY Corporation's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LY Corporation in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LY Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers need to provide additional information for anti-social forces screening only once -- which is for the first awarded bounty. LY Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LY Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LY Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# In-Scope Assets\n\n| |Tier A Assets                        | | Tier B Assets |  | \n|-|-------------------------------| -|-|-| \n| | LINE - Talk ||  `*.line.me` | \n| | LINE  - VoIP ||   `*.line.biz` |\n| | LINE  - LINE VOOM || `*.line-apps.com` | \n| | LINE – Keep || `*.line.naver.jp` | \n| | LINE – LINE OpenChat || \n| | LINE – LINE NEWS || \n| | LINE - Applications **\\*** | \n\n_\\* **LINE Applications in scope (Tier A)**_\n\u003e - Windows: Microsoft Store Executable\n- macOS\n- iOS\n- Android\n- Lite\n- Chrome Extension \n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LY Corporation has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n* jpg\n* jpeg\n* gif\n* js\n* htm\n* html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Cache-Poisoned Denial-of-Service\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, VOOM photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record, DNSSEC records\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n* Broken link hijacking (social media account etc)\n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n* Status monitoring page with no disclosure of sensitive data (eg: apache server status and internal metrics) \n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n\n\n----\n# Yahoo Japan VRP(Vulnerability Report Program) \nIn case of reporting vulnerability for Yahoo Japan services To improve the security level of Yahoo Japan services, Yahoo Japan VRP(Vulnerability Report Program) is receiving vulnerability report from users. If you want to submit vulnerability report to Yahoo VRP, please click the link below. \n**Note : For Yahoo Japan VRP, it is not a bug bounty program, therefore Yahoo Japan VRP will not be rewarding bounties for any vulnerabilities reported.**\n* Yahoo Japan VRP page: https://support.yahoo-net.jp/form/s/dirvrp\n* ref) https://security.yahoo.co.jp/vulnerability-report.html\n\u0026nbsp;\n \u0026nbsp;\n\n\n----\n# ==Additional Notes==\nAny assets that are not managed by LY Corporation and any LINE domains/sub-domains developed by third-party vendors will be carefully scrutinised. A bounty or reward may only be considered on a case-by-case basis for assets developed/managed by 3rd party vendors (types of SaaS or solution products) even for technical vulnerabilities occurring in the LINE domain and depending on the privacy and business impact\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LY Corporation and our users safe \n\n----\n\n## LY Corporation’s Hall of Fame\nHaving run LY Corporation’s very own LINE Security Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LY Corporation team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"# ==Testing Precautions==\nBefore testing services eligible for the LINE Security Bug Bounty Program, please familiarize yourself with the Policy and Terms.\n * Out-of-scope vulnerabilities are listed at the bottom of this page (https://hackerone.com/line?type=team). Please do not test these vulnerabilities as submissions related to them will not be eligible for bounties.\n    * Testing vulnerabilities that affect service operations or other users may result in disqualification from participating in the bug bounty program.\n* Some reports may require internal log investigations. Please include your HackerOne ID in the packet during testing as shown below. Additionally, record your IP (including IPs assigned via VPN) and be prepared to share it upon request.\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2025-04-15T01:32:40.889Z"},{"id":3747868,"new_policy":"# ==Testing Precautions==\nBefore testing services eligible for the LINE Security Bug Bounty Program, please familiarize yourself with the Policy and Terms.\n * Out-of-scope vulnerabilities are listed at the bottom of this page (https://hackerone.com/line?type=team). Please do not test these vulnerabilities as submissions related to them will not be eligible for bounties.\n    * Testing vulnerabilities that affect service operations or other users may result in disqualification from participating in the bug bounty program.\n* Some reports may require internal log investigations. Please include your HackerOne ID in the packet during testing as shown below. Additionally, record your IP (including IPs assigned via VPN) and be prepared to share it upon request.\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n\n# LINE Security Bug Bounty rules at a glance\n\nThe LINE Security Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LY Corporation will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LY Corporation will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE app and LY Corporation's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LY Corporation offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLY Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LY Corporation's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LY Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LY Corporation's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LY Corporation in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LY Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers need to provide additional information for anti-social forces screening only once -- which is for the first awarded bounty. LY Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LY Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LY Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# In-Scope Assets\n\n| |Tier A Assets                        | | Tier B Assets |  | \n|-|-------------------------------| -|-|-| \n| | LINE - Talk ||  `*.line.me` | \n| | LINE  - VoIP ||   `*.line.biz` |\n| | LINE  - LINE VOOM || `*.line-apps.com` | \n| | LINE – Keep || `*.line.naver.jp` | \n| | LINE – LINE OpenChat || \n| | LINE – LINE NEWS || \n| | LINE - Applications **\\*** | \n\n_\\* **LINE Applications in scope (Tier A)**_\n\u003e - Windows: Microsoft Store Executable\n- macOS\n- iOS\n- Android\n- Lite\n- Chrome Extension \n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LY Corporation has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n* jpg\n* jpeg\n* gif\n* js\n* htm\n* html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Cache-Poisoned Denial-of-Service\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, VOOM photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record, DNSSEC records\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n* Broken link hijacking (social media account etc)\n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n* Status monitoring page with no disclosure of sensitive data (eg: apache server status and internal metrics) \n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n\n\n----\n# Yahoo Japan VRP(Vulnerability Report Program) \nIn case of reporting vulnerability for Yahoo Japan services To improve the security level of Yahoo Japan services, Yahoo Japan VRP(Vulnerability Report Program) is receiving vulnerability report from users. If you want to submit vulnerability report to Yahoo VRP, please click the link below. \n**Note : For Yahoo Japan VRP, it is not a bug bounty program, therefore Yahoo Japan VRP will not be rewarding bounties for any vulnerabilities reported.**\n* Yahoo Japan VRP page: https://support.yahoo-net.jp/form/s/dirvrp\n* ref) https://security.yahoo.co.jp/vulnerability-report.html\n\u0026nbsp;\n \u0026nbsp;\n\n\n----\n# ==Additional Notes==\nAny assets that are not managed by LY Corporation and any LINE domains/sub-domains developed by third-party vendors will be carefully scrutinised. A bounty or reward may only be considered on a case-by-case basis for assets developed/managed by 3rd party vendors (types of SaaS or solution products) even for technical vulnerabilities occurring in the LINE domain and depending on the privacy and business impact\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LY Corporation and our users safe \n\n----\n\n## LY Corporation’s Hall of Fame\nHaving run LY Corporation’s very own LINE Security Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LY Corporation team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2025-01-13T08:18:11.777Z"},{"id":3736027,"new_policy":"# LINE Security Bug Bounty rules at a glance\n\nThe LINE Security Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LY Corporation will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LY Corporation will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE app and LY Corporation's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LY Corporation offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLY Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LY Corporation's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LY Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LY Corporation's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LY Corporation in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LY Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers need to provide additional information for anti-social forces screening only once -- which is for the first awarded bounty. LY Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LY Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LY Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# In-Scope Assets\n\n| |Tier A Assets                        | | Tier B Assets |  | \n|-|-------------------------------| -|-|-| \n| | LINE - Talk ||  `*.line.me` | \n| | LINE  - VoIP ||   `*.line.biz` |\n| | LINE  - LINE VOOM || `*.line-apps.com` | \n| | LINE – Keep || `*.line.naver.jp` | \n| | LINE – LINE OpenChat || \n| | LINE – LINE NEWS || \n| | LINE - Applications **\\*** | \n\n_\\* **LINE Applications in scope (Tier A)**_\n\u003e - Windows: Microsoft Store Executable\n- macOS\n- iOS\n- Android\n- Lite\n- Chrome Extension \n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LY Corporation has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n* jpg\n* jpeg\n* gif\n* js\n* htm\n* html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Cache-Poisoned Denial-of-Service\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, VOOM photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record, DNSSEC records\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n* Broken link hijacking (social media account etc)\n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n* Status monitoring page with no disclosure of sensitive data (eg: apache server status and internal metrics) \n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n\n\n----\n# Yahoo Japan VRP(Vulnerability Report Program) \nIn case of reporting vulnerability for Yahoo Japan services To improve the security level of Yahoo Japan services, Yahoo Japan VRP(Vulnerability Report Program) is receiving vulnerability report from users. If you want to submit vulnerability report to Yahoo VRP, please click the link below. \n**Note : For Yahoo Japan VRP, it is not a bug bounty program, therefore Yahoo Japan VRP will not be rewarding bounties for any vulnerabilities reported.**\n* Yahoo Japan VRP page: https://support.yahoo-net.jp/form/s/dirvrp\n* ref) https://security.yahoo.co.jp/vulnerability-report.html\n\u0026nbsp;\n \u0026nbsp;\n\n\n----\n# ==Additional Notes==\nAny assets that are not managed by LY Corporation and any LINE domains/sub-domains developed by third-party vendors will be carefully scrutinised. A bounty or reward may only be considered on a case-by-case basis for assets developed/managed by 3rd party vendors (types of SaaS or solution products) even for technical vulnerabilities occurring in the LINE domain and depending on the privacy and business impact\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LY Corporation and our users safe \n\n----\n\n## LY Corporation’s Hall of Fame\nHaving run LY Corporation’s very own LINE Security Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LY Corporation team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2024-08-14T02:23:14.621Z"},{"id":3736026,"new_policy":"# LINE Security Bug Bounty rules at a glance\n\nThe LINE Security Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LY Corporation will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LY Corporation will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE app and LY Corporation's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LY Corporation offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLY Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LY Corporation's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LY Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LY Corporation's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LY Corporation in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LY Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers need to provide additional information for anti-social forces screening only once -- which is for the first awarded bounty. LY Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LY Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LY Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# In-Scope Assets\n\n| |Tier A Assets                        | | Tier B Assets |  | \n|-|-------------------------------| -|-|-| \n| | LINE - Talk ||  `*.line.me` | \n| | LINE  - VoIP ||   `*.line.biz` |\n| | LINE  - LINE VOOM || `*.line-apps.com` | \n| | LINE – Keep || `*.line.naver.jp` | \n| | LINE – LINE OpenChat || \n| | LINE – LINE NEWS || \n| | LINE - Applications **\\*** | \n\n_\\* **LINE Applications in scope (Tier A)**_\n\u003e - Windows: Microsoft Store Executable\n- macOS\n- iOS\n- Android\n- Lite\n- Chrome Extension \n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LY Corporation has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n* jpg\n* jpeg\n* gif\n* js\n* htm\n* html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Cache-Poisoned Denial-of-Service\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, VOOM photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record, DNSSEC records\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n* Broken link hijacking (social media account etc)\n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n* Status monitoring page with no disclosure of sensitive data (eg: apache server status and internal metrics) \n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n\n\n----\n# Yahoo Japan VRP(Vulnerability Report Program) \nIn case of reporting vulnerability for Yahoo Japan services To improve the security level of Yahoo Japan services, Yahoo Japan VRP(Vulnerability Report Program) is receiving vulnerability report from users. If you want to submit vulnerability report to Yahoo VRP, please click the link below. \n**Note : For Yahoo Japan VRP, it is not a bug bounty program, therefore Yahoo Japan VRP will not be rewarding bounties for any vulnerabilities reported.**\n* Yahoo Japan VRP page: https://support.yahoo-net.jp/form/s/dirvrp\n* ref) https://security.yahoo.co.jp/vulnerability-report.html\n\u0026nbsp;\n \u0026nbsp;\n\n\n----\n# ==Additional Notes==\nAny assets that are not managed by LY Corporation and any LINE domains/sub-domains developed by third-party vendors will be carefully scrutinised. A bounty or reward may only be considered on a case-by-case basis for assets developed/managed by 3rd party vendors (types of SaaS or solution products) even for technical vulnerabilities occurring in the LINE domain and depending on the privacy and business impact\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LY Corporation and our users safe \n\n----\n\n## LY Corporation’s Hall of Fame\nHaving run LY Corporation’s very own LINE Security Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LY Corporation team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-08-14T02:17:31.273Z"},{"id":3732596,"new_policy":"# LINE Security Bug Bounty rules at a glance\n\nThe LINE Security Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LY Corporation will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LY Corporation will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE app and LY Corporation's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LY Corporation offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLY Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LY Corporation's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LY Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LY Corporation's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LY Corporation in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LY Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers need to provide additional information for anti-social forces screening only once -- which is for the first awarded bounty. LY Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LY Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LY Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# In-Scope Assets\n\n| |Tier A Assets                        | | Tier B Assets |  | \n|-|-------------------------------| -|-|-| \n| | LINE - Talk ||  `*.line.me` | \n| | LINE  - VoIP ||   `*.line.biz` |\n| | LINE  - LINE VOOM || `*.line-apps.com` | \n| | LINE – Keep || `*.line.naver.jp` | \n| | LINE – LINE OpenChat || \n| | LINE – LINE NEWS || \n| | LINE - Applications **\\*** | \n\n_\\* **LINE Applications in scope (Tier A)**_\n\u003e - Windows: Microsoft Store Executable\n- macOS\n- iOS\n- Android\n- Lite\n- Chrome Extension \n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LY Corporation has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n* jpg\n* jpeg\n* gif\n* js\n* htm\n* html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Cache-Poisoned Denial-of-Service\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, VOOM photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record, DNSSEC records\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n* Broken link hijacking (social media account etc)\n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n* Status monitoring page with no disclosure of sensitive data (eg: apache server status and internal metrics) \n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n\n\n----\n# Yahoo Japan VRP(Vulnerability Report Program) \nIn case of reporting vulnerability for Yahoo Japan services To improve the security level of Yahoo Japan services, Yahoo Japan VRP(Vulnerability Report Program) is receiving vulnerability report from users. If you want to submit vulnerability report to Yahoo VRP, please click the link below. \n**Note : For Yahoo Japan VRP, it is not a bug bounty program, therefore Yahoo Japan VRP will not be rewarding bounties for any vulnerabilities reported.**\n* Yahoo Japan VRP page: https://support.yahoo-net.jp/form/s/dirvrp\n* ref) https://security.yahoo.co.jp/vulnerability-report.html\n\u0026nbsp;\n \u0026nbsp;\n\n\n----\n# ==Additional Notes==\nAny assets that are not managed by LY Corporation and any LINE domains/sub-domains developed by third-party vendors will be carefully scrutinised. A bounty or reward may only be considered on a case-by-case basis for assets developed/managed by 3rd party vendors (types of SaaS or solution products) even for technical vulnerabilities occurring in the LINE domain and depending on the privacy and business impact\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LY Corporation and our users safe \n\n----\n\n## LY Corporation’s Hall of Fame\nHaving run LY Corporation’s very own LINE Security Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LY Corporation team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["IDOR","MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES","CHAINED_VULNERABILITIES","VULNERABLE_NETWORK_CONECTION_IN_CLIENT_APPLICATIONS","THIRD_PARTY_COMPONENTS_FOR_HACKERS","LEAKAGE_SENSITIVE_PII","SELF_SIGN_UP_CVSS_PR","THIRD_PARTY_COMPONENTS_FOR_PROGRAMS_CONSUMING_THE_COMPONENT","PAYING_FOR_NEW_ZERO_DAYS"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-17T07:08:10.815Z"},{"id":3709271,"new_policy":"# LINE Security Bug Bounty rules at a glance\n\nThe LINE Security Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LY Corporation will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LY Corporation will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE app and LY Corporation's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LY Corporation offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLY Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LY Corporation's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LY Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LY Corporation's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LY Corporation in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LY Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers need to provide additional information for anti-social forces screening only once -- which is for the first awarded bounty. LY Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LY Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LY Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# In-Scope Assets\n\n| |Tier A Assets                        | | Tier B Assets |  | \n|-|-------------------------------| -|-|-| \n| | LINE - Talk ||  `*.line.me` | \n| | LINE  - VoIP ||   `*.line.biz` |\n| | LINE  - LINE VOOM || `*.line-apps.com` | \n| | LINE – Keep || `*.line.naver.jp` | \n| | LINE – LINE OpenChat || \n| | LINE – LINE NEWS || \n| | LINE - Applications **\\*** | \n\n_\\* **LINE Applications in scope (Tier A)**_\n\u003e - Windows: Microsoft Store Executable\n- macOS\n- iOS\n- Android\n- Lite\n- Chrome Extension \n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LY Corporation has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n* jpg\n* jpeg\n* gif\n* js\n* htm\n* html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Cache-Poisoned Denial-of-Service\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, VOOM photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record, DNSSEC records\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n* Broken link hijacking (social media account etc)\n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n* Status monitoring page with no disclosure of sensitive data (eg: apache server status and internal metrics) \n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n\n\n----\n# Yahoo Japan VRP(Vulnerability Report Program) \nIn case of reporting vulnerability for Yahoo Japan services To improve the security level of Yahoo Japan services, Yahoo Japan VRP(Vulnerability Report Program) is receiving vulnerability report from users. If you want to submit vulnerability report to Yahoo VRP, please click the link below. \n**Note : For Yahoo Japan VRP, it is not a bug bounty program, therefore Yahoo Japan VRP will not be rewarding bounties for any vulnerabilities reported.**\n* Yahoo Japan VRP page: https://support.yahoo-net.jp/form/s/dirvrp\n* ref) https://security.yahoo.co.jp/vulnerability-report.html\n\u0026nbsp;\n \u0026nbsp;\n\n\n----\n# ==Additional Notes==\nAny assets that are not managed by LY Corporation and any LINE domains/sub-domains developed by third-party vendors will be carefully scrutinised. A bounty or reward may only be considered on a case-by-case basis for assets developed/managed by 3rd party vendors (types of SaaS or solution products) even for technical vulnerabilities occurring in the LINE domain and depending on the privacy and business impact\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LY Corporation and our users safe \n\n----\n\n## LY Corporation’s Hall of Fame\nHaving run LY Corporation’s very own LINE Security Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LY Corporation team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-12-14T09:27:50.829Z"},{"id":3704314,"new_policy":"# LINE Security Bug Bounty rules at a glance\n\nThe LINE Security Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LY Corporation will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LY Corporation will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE app and LY Corporation's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LY Corporation offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLY Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LY Corporation's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LY Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LY Corporation's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LY Corporation in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LY Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers need to provide additional information for anti-social forces screening only once -- which is for the first awarded bounty. LY Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LY Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LY Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# In-Scope Assets\n\n| |Tier A Assets                        | | Tier B Assets |  | \n|-|-------------------------------| -|-|-| \n| | LINE - Talk ||  `*.line.me` | \n| | LINE  - VoIP ||   `*.line.biz` |\n| | LINE  - LINE VOOM || `*.line-apps.com` | \n| | LINE – Keep || `*.line.naver.jp` | \n| | LINE – LINE OpenChat || \n| | LINE – LINE NEWS || \n| | LINE - Applications **\\*** | \n\n_\\* **LINE Applications in scope (Tier A)**_\n\u003e - Windows: Microsoft Store Executable\n- macOS\n- iOS\n- Android\n- Lite\n- Chrome Extension \n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LY Corporation has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n* jpg\n* jpeg\n* gif\n* js\n* htm\n* html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Cache-Poisoned Denial-of-Service\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, VOOM photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record, DNSSEC records\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n* Broken link hijacking (social media account etc)\n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n* Status monitoring page with no disclosure of sensitive data (eg: apache server status and internal metrics) \n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n\n\n----\n# ==Additional Notes==\nAny assets that are not managed by LY Corporation and any LINE domains/sub-domains developed by third-party vendors will be carefully scrutinised. A bounty or reward may only be considered on a case-by-case basis for assets developed/managed by 3rd party vendors (types of SaaS or solution products) even for technical vulnerabilities occurring in the LINE domain and depending on the privacy and business impact\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LY Corporation and our users safe \n\n----\n\n## LY Corporation’s Hall of Fame\nHaving run LY Corporation’s very own LINE Security Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LY Corporation team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-09-30T16:30:01.077Z"},{"id":3686355,"new_policy":"# LINE Bug Bounty rules at a glance\n\nThe LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LINE will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LINE will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLINE Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LINE's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LINE in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LINE Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers need to provide additional information for anti-social forces screening only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# In-Scope Assets\n\n| |Tier A Assets                        | | Tier B Assets |  | \n|-|-------------------------------| -|-|-| \n| | LINE Messenger - Chat ||  `*.line.me` | \n| | LINE Messenger - VoIP ||   `*.line.biz` |\n| | LINE Messenger - VOOM || `*.line-apps.com` | \n| | LINE Messenger – Keep || `*.line.naver.jp` | \n| | LINE Messenger – OpenChat || \n| | LINE Messenger – News || \n| | LINE Messenger - Applications **\\*** | \n\n_\\* **LINE Messenger Applications in scope (Tier A)**_\n\u003e - Windows: Microsoft Store Executable\n- macOS\n- iOS\n- Android\n- Lite\n- Chrome Extension \n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LINE has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n* jpg\n* jpeg\n* gif\n* js\n* htm\n* html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Cache-Poisoned Denial-of-Service\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, VOOM photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record, DNSSEC records\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n* Broken link hijacking (social media account etc)\n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n* Status monitoring page with no disclosure of sensitive data (eg: apache server status and internal metrics) \n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n\n\n----\n# ==Additional Notes==\nAny assets that are not managed by LINE and any LINE domains/sub-domains developed by third-party vendors will be carefully scrutinised. A bounty or reward may only be considered on a case-by-case basis for assets developed/managed by 3rd party vendors (types of SaaS or solution products) even for technical vulnerabilities occurring in the LINE domain and depending on the privacy and business impact\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LINE Corporation and our users safe \n\n----\n\n## LINE’s Hall of Fame\nHaving run LINE’s very own Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LINE team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-04-19T09:33:24.622Z"},{"id":3682431,"new_policy":"# LINE Bug Bounty rules at a glance\n\nThe LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LINE will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LINE will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLINE Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LINE's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LINE in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LINE Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers need to provide additional information for anti-social forces screening only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# In-Scope Assets\n\n| |Tier A Assets                        | | Tier B Assets |  | \n|-|-------------------------------| -|-|-| \n| | LINE Messenger - Chat ||  `*.line.me` | \n| | LINE Messenger - VoIP ||   `*.line.biz` |\n| | LINE Messenger - VOOM || `*.line-apps.com` | \n| | LINE Messenger – Keep || `*.line.naver.jp` | \n| | LINE Messenger – OpenChat || \n| | LINE Messenger – News || \n| | LINE Messenger - Applications **\\*** | \n\n_\\* **LINE Messenger Applications in scope (Tier A)**_\n\u003e - Windows: Microsoft Store Executable\n- macOS\n- iOS\n- Android\n- Lite\n- Chrome Extension \n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LINE has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* ssrf-pub.line-dev.me (Public IP)\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n* jpg\n* jpeg\n* gif\n* js\n* htm\n* html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Cache-Poisoned Denial-of-Service\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, VOOM photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record, DNSSEC records\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n* Broken link hijacking (social media account etc)\n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n* Status monitoring page with no disclosure of sensitive data (eg: apache server status and internal metrics) \n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n\n\n----\n# ==Additional Notes==\nAny assets that are not managed by LINE and any LINE domains/sub-domains developed by third-party vendors will be carefully scrutinised. A bounty or reward may only be considered on a case-by-case basis for assets developed/managed by 3rd party vendors (types of SaaS or solution products) even for technical vulnerabilities occurring in the LINE domain and depending on the privacy and business impact\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LINE Corporation and our users safe \n\n----\n\n## LINE’s Hall of Fame\nHaving run LINE’s very own Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LINE team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-24T14:00:28.060Z"},{"id":3677505,"new_policy":"# LINE Bug Bounty rules at a glance\n\nThe LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LINE will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LINE will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLINE Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LINE's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LINE in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LINE Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers need to provide additional information for anti-social forces screening only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# In-Scope Assets\n\n| |Tier A Assets                        | | Tier B Assets |  | \n|-|-------------------------------| -|-|-| \n| | LINE Messenger - Chat ||  `*.line.me` | \n| | LINE Messenger - VoIP ||   `*.line.biz` |\n| | LINE Messenger - VOOM || `*.line-apps.com` | \n| | LINE Messenger – Keep || `*.line.naver.jp` | \n| | LINE Messenger – OpenChat || \n| | LINE Messenger – News || \n| | LINE Messenger - Applications **\\*** | \n\n_\\* **LINE Messenger Applications in scope (Tier A)**_\n\u003e - Windows: Microsoft Store Executable\n- macOS\n- iOS\n- Android\n- Lite\n- Chrome Extension \n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LINE has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* ssrf-pub.line-dev.me (Public IP)\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n* jpg\n* jpeg\n* gif\n* js\n* htm\n* html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Cache-Poisoned Denial-of-Service\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, VOOM photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n* Broken link hijacking (social media account etc)\n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n* Status monitoring page with no disclosure of sensitive data (eg: apache server status and internal metrics) \n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n\n\n----\n# ==Additional Notes==\nAny assets that are not managed by LINE and any LINE domains/sub-domains developed by third-party vendors will be carefully scrutinised. A bounty or reward may only be considered on a case-by-case basis for assets developed/managed by 3rd party vendors (types of SaaS or solution products) even for technical vulnerabilities occurring in the LINE domain and depending on the privacy and business impact\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LINE Corporation and our users safe \n\n----\n\n## LINE’s Hall of Fame\nHaving run LINE’s very own Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LINE team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-09-21T06:43:47.736Z"},{"id":3677473,"new_policy":"# LINE Bug Bounty rules at a glance\n\nThe LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LINE will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LINE will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLINE Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LINE's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LINE in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LINE Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers need to provide additional information for anti-social forces screening only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# In-Scope Assets\n\n| |Tier A Assets                        | | Tier B Assets |  | \n|-|-------------------------------| -|-|-| \n| | LINE Messenger - Chat ||  `*.line.me` | \n| | LINE Messenger - VoIP ||   `*.line.biz` |\n| | LINE Messenger - VOOM || `*.line-apps.com` | \n| | LINE Messenger – Keep || `*.line.naver.jp` | \n| | LINE Messenger – OpenChat || \n| | LINE Messenger – News || \n| | LINE Messenger - Applications **\\*** | \n\n_\\* **LINE Messenger Applications in scope (Tier A)**_\n\u003e - Windows: Microsoft Store Executable\n- macOS\n- iOS\n- Android\n- Lite\n- Chrome Extension \n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LINE has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* ssrf-pub.line-dev.me (Public IP)\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n* jpg\n* jpeg\n* gif\n* js\n* htm\n* html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Cache-Poisoned Denial-of-Service\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, VOOM photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n* Broken link hijacking (social media account etc)\n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n* Status monitoring page with no disclosure of sensitive data (eg: apache server status and internal metrics) \n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n\n** \u003cNote\u003e **\nAny assets that are not managed by LINE and any LINE domains/sub-domains developed by third-party vendors will be carefully scrutinized. A bounty or reward may only be considered on a case-by-case basis and depending on the privacy and business impact\n- The reward may not be paid for assets developed/managed by 3rd party vendors (types of SaaS or solution products) even for technical vulnerabilities occurring in the LINE domain.\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LINE Corporation and our users safe \n\n----\n\n## LINE’s Hall of Fame\nHaving run LINE’s very own Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LINE team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-09-20T08:55:55.893Z"},{"id":3674627,"new_policy":"# LINE Bug Bounty rules at a glance\n\nThe LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LINE will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LINE will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLINE Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LINE's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LINE in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LINE Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers need to provide additional information for anti-social forces screening only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# In-Scope Assets\n\n| |Tier A Assets                        | | Tier B Assets |  | \n|-|-------------------------------| -|-|-| \n| | LINE Messenger - Chat ||  `*.line.me` | \n| | LINE Messenger - VoIP ||   `*.line.biz` |\n| | LINE Messenger - VOOM || `*.line-apps.com` | \n| | LINE Messenger – Keep || `*.line.naver.jp` | \n| | LINE Messenger – OpenChat || \n| | LINE Messenger – News || \n| | LINE Messenger - Applications **\\*** | \n\n_\\* **LINE Messenger Applications in scope (Tier A)**_\n\u003e - Windows: Microsoft Store Executable\n- macOS\n- iOS\n- Android\n- Lite\n- Chrome Extension \n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LINE has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* ssrf-pub.line-dev.me (Public IP)\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n* jpg\n* jpeg\n* gif\n* js\n* htm\n* html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Cache-Poisoned Denial-of-Service\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, VOOM photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n* Broken link hijacking (social media account etc)\n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n* Status monitoring page with no disclosure of sensitive data (eg: apache server status and internal metrics) \n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LINE Corporation and our users safe \n\n----\n\n## LINE’s Hall of Fame\nHaving run LINE’s very own Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LINE team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-07-19T05:44:08.498Z"},{"id":3666223,"new_policy":"# LINE Bug Bounty rules at a glance\n\nThe LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LINE will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LINE will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLINE Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LINE's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LINE in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LINE Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers need to provide additional information for anti-social forces screening only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# In-Scope Assets\n\n| |Tier A Assets                        | | Tier B Assets |  | \n|-|-------------------------------| -|-|-| \n| | LINE Messenger - Chat ||  `*.line.me` | \n| | LINE Messenger - VoIP ||   `*.line.biz` |\n| | LINE Messenger - VOOM || `*.line-apps.com` | \n| | LINE Messenger – Keep || `*.line.naver.jp` | \n| | LINE Messenger – OpenChat || \n| | LINE Messenger – News || \n| | LINE Messenger - Applications **\\*** | \n\n_\\* **LINE Messenger Applications in scope (Tier A)**_\n\u003e - Windows: Microsoft Store Executable\n- macOS\n- iOS\n- Android\n- Lite\n- Chrome Extension \n\n----\n\n# Report Assessment and Bounty Calculations\n\nThe final bounty will be the *Base Bounty + PII (if any) + Special Bonus (if any)*\n\n1. **Base Bounty**\nMaximum reward is based on the bounty table. The report is then evaluated based on maximum reward, CVSS and an evaluation of the business impact.\n\n2. **Other rewards: Personal information leakage (PII)**\nWe aim to follow the below when awarding bounties, but the following should be considered a guideline and exceptions may apply.\n\n    \u003e _Category A – Max $5000:_\n    \u003e * Financially sensitive data (Example: Credit card details, incl. either CVC/CVV number and/or full card number)\n    \u003e * Biometric data (Example: Fingerprint features used for authentication)\n    \u003e * Official documents used for identification (Example: Passport)\n    \u003e * Any information covered by Japan's Personal Information Protection law (Example: Information that allows one to uniquely identifying a person)\n\n    \u003e _Category B – Max $2000:_\n    \u003e * Partially identifying information (Example: Full address incl. apartment number, if applicable)\n    \u003e * Information not supposed to be available to the attacker (Example: Private content kept in LINE Keep, for example personal photos) \n\n    \u003e _Category C – Max $1000:_\n    \u003e * Other types of sensitive user information (Example: Full name, List of previous purchases)\n\n3. **Other rewards: Special Bonus**\nThis category is for rewarding special contributions. This is entirely up to the LINE Bug Bounty team’s discretion, but the goal is to reward reports we consider exceptional. Reports that qualify based on the below will have their bounty increased by 15%\n\n A few examples of things we will be looking for are:\n    \u003e * Novel and innovative approach and exploit\n    \u003e * Creative chaining of exploits\n    \u003e * Quality proof of concepts*\n    \u003e * Easy to understand report and good description root cause of issue\n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LINE has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* ssrf-pub.line-dev.me (Public IP)\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n* jpg\n* jpeg\n* gif\n* js\n* htm\n* html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Cache-Poisoned Denial-of-Service\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, VOOM photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n* Broken link hijacking (social media account etc)\n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n* Status monitoring page with no disclosure of sensitive data (eg: apache server status and internal metrics) \n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LINE Corporation and our users safe \n\n----\n\n## LINE’s Hall of Fame\nHaving run LINE’s very own Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LINE team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-08T10:08:32.022Z"},{"id":3663852,"new_policy":"# LINE Bug Bounty rules at a glance\n\nThe LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LINE will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LINE will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLINE Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LINE's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LINE in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LINE Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers need to provide additional information for anti-social forces screening only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# In-Scope Assets\n\n| |Tier A Assets                        | | Tier B Assets |  | \n|-|-------------------------------| -|-|-| \n| | LINE Messenger - Chat ||  `*.line.me` | \n| | LINE Messenger - VoIP ||   `*.line.biz` |\n| | LINE Messenger - VOOM || `*.line-apps.com` | \n| | LINE Messenger – Keep || `*.line.naver.jp` | \n| | LINE Messenger – OpenChat || \n| | LINE Messenger – News || \n| | LINE Messenger - Applications **\\*** | \n\n_\\* **LINE Messenger Applications in scope (Tier A)**_\n\u003e - Windows: Microsoft Store Executable\n- macOS\n- iOS\n- Android\n- Lite\n- Chrome Extension \n\n----\n\n# Report Assessment and Bounty Calculations\n\nThe final bounty will be the *Base Bounty + PII (if any) + Special Bonus (if any)*\n\n1. **Base Bounty**\nMaximum reward is based on the bounty table. The report is then evaluated based on maximum reward, CVSS and an evaluation of the business impact.\n\n2. **Other rewards: Personal information leakage (PII)**\nWe aim to follow the below when awarding bounties, but the following should be considered a guideline and exceptions may apply.\n\n    \u003e _Category A – Max $5000:_\n    \u003e * Financially sensitive data (Example: Credit card details, incl. either CVC/CVV number and/or full card number)\n    \u003e * Biometric data (Example: Fingerprint features used for authentication)\n    \u003e * Official documents used for identification (Example: Passport)\n    \u003e * Any information covered by Japan's Personal Information Protection law (Example: Information that allows one to uniquely identifying a person)\n\n    \u003e _Category B – Max $2000:_\n    \u003e * Partially identifying information (Example: Full address incl. apartment number, if applicable)\n    \u003e * Information not supposed to be available to the attacker (Example: Private content kept in LINE Keep, for example personal photos) \n\n    \u003e _Category C – Max $1000:_\n    \u003e * Other types of sensitive user information (Example: Full name, List of previous purchases)\n\n3. **Other rewards: Special Bonus**\nThis category is for rewarding special contributions. This is entirely up to the LINE Bug Bounty team’s discretion, but the goal is to reward reports we consider exceptional. Reports that qualify based on the below will have their bounty increased by 15%\n\n A few examples of things we will be looking for are:\n    \u003e * Novel and innovative approach and exploit\n    \u003e * Creative chaining of exploits\n    \u003e * Quality proof of concepts*\n    \u003e * Easy to understand report and good description root cause of issue\n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LINE has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* ssrf-pub.line-dev.me (Public IP)\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n* jpg\n* jpeg\n* gif\n* js\n* htm\n* html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, VOOM photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n* Broken link hijacking (social media account etc)\n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n* Status monitoring page with no disclosure of sensitive data (eg: apache server status and internal metrics) \n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LINE Corporation and our users safe \n\n----\n\n## LINE’s Hall of Fame\nHaving run LINE’s very own Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LINE team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-01-06T09:49:20.461Z"},{"id":3663851,"new_policy":"# LINE Bug Bounty rules at a glance\n\nThe LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LINE will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LINE will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLINE Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LINE's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LINE in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LINE Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers need to provide additional information for anti-social forces screening only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# In-Scope Assets\n\n| |Tier A Assets                        | | Tier B Assets |  | \n|-|-------------------------------| -|-|-| \n| | LINE Messenger - Chat ||  `*.line.me` | \n| | LINE Messenger - VoIP ||   `*.line.biz` |\n| | LINE Messenger - VOOM || `*.line-apps.com` | \n| | LINE Messenger – Keep || `*.line.naver.jp` | \n| | LINE Messenger – OpenChat || \n| | LINE Messenger – News || \n| | LINE Messenger - Applications **\\*** | \n\n_\\* **LINE Messenger Applications in scope (Tier A)**_\n\u003e - Windows: Microsoft Store Executable\n- macOS\n- iOS\n- Android\n- Lite\n- Chrome Extension \n\n----\n\n# Report Assessment and Bounty Calculations\n\nThe final bounty will be the *Base Bounty + PII (if any) + Special Bonus (if any)*\n\n1. **Base Bounty**\nMaximum reward is based on the bounty table. The report is then evaluated based on maximum reward, CVSS and an evaluation of the business impact.\n\n2. **Other rewards: Personal information leakage (PII)**\nWe aim to follow the below when awarding bounties, but the following should be considered a guideline and exceptions may apply.\n\n    \u003e _Category A – Max $5000:_\n    \u003e * Financially sensitive data (Example: Credit card details, incl. either CVC/CVV number and/or full card number)\n    \u003e * Biometric data (Example: Fingerprint features used for authentication)\n    \u003e * Official documents used for identification (Example: Passport)\n    \u003e * Any information covered by Japan's Personal Information Protection law (Example: Information that allows one to uniquely identifying a person)\n\n    \u003e _Category B – Max $2000:_\n    \u003e * Partially identifying information (Example: Full address incl. apartment number, if applicable)\n    \u003e * Information not supposed to be available to the attacker (Example: Private content kept in LINE Keep, for example personal photos) \n\n    \u003e _Category C – Max $1000:_\n    \u003e * Other types of sensitive user information (Example: Full name, List of previous purchases)\n\n3. **Other rewards: Special Bonus**\nThis category is for rewarding special contributions. This is entirely up to the LINE Bug Bounty team’s discretion, but the goal is to reward reports we consider exceptional. Reports that qualify based on the below will have their bounty increased by 15%\n\n A few examples of things we will be looking for are:\n    \u003e * Novel and innovative approach and exploit\n    \u003e * Creative chaining of exploits\n    \u003e * Quality proof of concepts*\n    \u003e * Easy to understand report and good description root cause of issue\n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LINE has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* ssrf-pub.line-dev.me (Public IP)\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n* jpg\n* jpeg\n* gif\n* js\n* htm\n* html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, Timeline photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n* Broken link hijacking (social media account etc)\n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n* Status monitoring page with no disclosure of sensitive data (eg: apache server status and internal metrics) \n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LINE Corporation and our users safe \n\n----\n\n## LINE’s Hall of Fame\nHaving run LINE’s very own Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LINE team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-01-06T09:47:16.875Z"},{"id":3663834,"new_policy":"# LINE Bug Bounty rules at a glance\n\nThe LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LINE will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LINE will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLINE Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LINE's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LINE in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LINE Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers need to provide additional information for anti-social forces screening only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# In-Scope Assets\n\n| |Tier A Assets                        | | Tier B Assets |  | \n|-|-------------------------------| -|-|-| \n| | LINE Messenger - Chat ||  `*.line.me` | \n| | LINE Messenger - VoIP ||   `*.line.biz` |\n| | LINE Messenger - Timeline || `*.line-apps.com` | \n| | LINE Messenger – Keep || `*.line.naver.jp` | \n| | LINE Messenger – OpenChat || \n| | LINE Messenger – News || \n| | LINE Messenger - Applications **\\*** | \n\n_\\* **LINE Messenger Applications in scope (Tier A)**_\n\u003e - Windows: Microsoft Store Executable\n- macOS\n- iOS\n- Android\n- Lite\n- Chrome Extension \n\n----\n\n# Report Assessment and Bounty Calculations\n\nThe final bounty will be the *Base Bounty + PII (if any) + Special Bonus (if any)*\n\n1. **Base Bounty**\nMaximum reward is based on the bounty table. The report is then evaluated based on maximum reward, CVSS and an evaluation of the business impact.\n\n2. **Other rewards: Personal information leakage (PII)**\nWe aim to follow the below when awarding bounties, but the following should be considered a guideline and exceptions may apply.\n\n    \u003e _Category A – Max $5000:_\n    \u003e * Financially sensitive data (Example: Credit card details, incl. either CVC/CVV number and/or full card number)\n    \u003e * Biometric data (Example: Fingerprint features used for authentication)\n    \u003e * Official documents used for identification (Example: Passport)\n    \u003e * Any information covered by Japan's Personal Information Protection law (Example: Information that allows one to uniquely identifying a person)\n\n    \u003e _Category B – Max $2000:_\n    \u003e * Partially identifying information (Example: Full address incl. apartment number, if applicable)\n    \u003e * Information not supposed to be available to the attacker (Example: Private content kept in LINE Keep, for example personal photos) \n\n    \u003e _Category C – Max $1000:_\n    \u003e * Other types of sensitive user information (Example: Full name, List of previous purchases)\n\n3. **Other rewards: Special Bonus**\nThis category is for rewarding special contributions. This is entirely up to the LINE Bug Bounty team’s discretion, but the goal is to reward reports we consider exceptional. Reports that qualify based on the below will have their bounty increased by 15%\n\n A few examples of things we will be looking for are:\n    \u003e * Novel and innovative approach and exploit\n    \u003e * Creative chaining of exploits\n    \u003e * Quality proof of concepts*\n    \u003e * Easy to understand report and good description root cause of issue\n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LINE has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* ssrf-pub.line-dev.me (Public IP)\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n* jpg\n* jpeg\n* gif\n* js\n* htm\n* html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, Timeline photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n* Broken link hijacking (social media account etc)\n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n* Status monitoring page with no disclosure of sensitive data (eg: apache server status and internal metrics) \n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LINE Corporation and our users safe \n\n----\n\n## LINE’s Hall of Fame\nHaving run LINE’s very own Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LINE team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-01-06T04:18:29.720Z"},{"id":3655087,"new_policy":"# LINE Bug Bounty rules at a glance\n\nThe LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LINE will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LINE will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLINE Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LINE's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LINE in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LINE Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers need to provide additional information for anti-social forces screening only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# In-Scope Assets\n\n| |Tier A Assets                        | | Tier B Assets |  | \n|-|-------------------------------| -|-|-| \n| | LINE Messenger - Chat ||  `*.line.me ` | \n| | LINE Messenger - VoIP ||  `*.line.naver.jp`| \n| | LINE Messenger - Timeline | | `*.line-apps.com`| \n| | LINE Messenger – Keep || \n| | LINE Messenger – OpenChat || \n| | LINE Messenger – News || \n| | LINE Messenger - Applications **\\*** | \n\n_\\* **LINE Messenger Applications in scope (Tier A)**_\n\u003e - Windows: Microsoft Store Executable\n- macOS\n- iOS\n- Android\n- Lite\n- Chrome Extension \n\n----\n\n# Report Assessment and Bounty Calculations\n\nThe final bounty will be the *Base Bounty + PII (if any) + Special Bonus (if any)*\n\n1. **Base Bounty**\nMaximum reward is based on the bounty table. The report is then evaluated based on maximum reward, CVSS and an evaluation of the business impact.\n\n2. **Other rewards: Personal information leakage (PII)**\nWe aim to follow the below when awarding bounties, but the following should be considered a guideline and exceptions may apply.\n\n    \u003e _Category A – Max $5000:_\n    \u003e * Financially sensitive data (Example: Credit card details, incl. either CVC/CVV number and/or full card number)\n    \u003e * Biometric data (Example: Fingerprint features used for authentication)\n    \u003e * Official documents used for identification (Example: Passport)\n    \u003e * Any information covered by Japan's Personal Information Protection law (Example: Information that allows one to uniquely identifying a person)\n\n    \u003e _Category B – Max $2000:_\n    \u003e * Partially identifying information (Example: Full address incl. apartment number, if applicable)\n    \u003e * Information not supposed to be available to the attacker (Example: Private content kept in LINE Keep, for example personal photos) \n\n    \u003e _Category C – Max $1000:_\n    \u003e * Other types of sensitive user information (Example: Full name, List of previous purchases)\n\n3. **Other rewards: Special Bonus**\nThis category is for rewarding special contributions. This is entirely up to the LINE Bug Bounty team’s discretion, but the goal is to reward reports we consider exceptional. Reports that qualify based on the below will have their bounty increased by 15%\n\n A few examples of things we will be looking for are:\n    \u003e * Novel and innovative approach and exploit\n    \u003e * Creative chaining of exploits\n    \u003e * Quality proof of concepts*\n    \u003e * Easy to understand report and good description root cause of issue\n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LINE has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* ssrf-pub.line-dev.me (Public IP)\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n*  jpg\n*  jpeg\n* gif\n*  js\n* htm\n*  html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, Timeline photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n* Broken link hijacking (social media account etc)\n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n* Status monitoring page with no disclosure of sensitive data (eg: apache server status and internal metrics) \n    * You may submit a report for this issue and it will be resolved, but it will not be eligible for bounty\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LINE Corporation and our users safe \n\n----\n\n## LINE’s Hall of Fame\nHaving run LINE’s very own Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LINE team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-07-19T05:30:59.253Z"},{"id":3654350,"new_policy":"# LINE Bug Bounty rules at a glance\n\nThe LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LINE will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LINE will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLINE Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LINE's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LINE in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LINE Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers need to provide additional information for anti-social forces screening only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# In-Scope Assets\n\n| |Tier A Assets                        | | Tier B Assets |  | \n|-|-------------------------------| -|-|-| \n| | LINE Messenger - Chat ||  `*.line.me ` | \n| | LINE Messenger - VoIP ||  `*.line.naver.jp`| \n| | LINE Messenger - Timeline | | `*.line-apps.com`| \n| | LINE Messenger – Keep || \n| | LINE Messenger – OpenChat || \n| | LINE Messenger – News || \n| | LINE Messenger - Applications **\\*** | \n\n_\\* **LINE Messenger Applications in scope (Tier A)**_\n\u003e - Windows: Microsoft Store Executable\n- macOS\n- iOS\n- Android\n- Lite\n- Chrome Extension \n\n----\n\n# Report Assessment and Bounty Calculations\n\nThe final bounty will be the *Base Bounty + PII (if any) + Special Bonus (if any)*\n\n1. **Base Bounty**\nMaximum reward is based on the bounty table. The report is then evaluated based on maximum reward, CVSS and an evaluation of the business impact.\n\n2. **Other rewards: Personal information leakage (PII)**\nWe aim to follow the below when awarding bounties, but the following should be considered a guideline and exceptions may apply.\n\n    \u003e _Category A – Max $5000:_\n    \u003e * Financially sensitive data (Example: Credit card details, incl. either CVC/CVV number and/or full card number)\n    \u003e * Biometric data (Example: Fingerprint features used for authentication)\n    \u003e * Official documents used for identification (Example: Passport)\n    \u003e * Any information covered by Japan's Personal Information Protection law (Example: Information that allows one to uniquely identifying a person)\n\n    \u003e _Category B – Max $2000:_\n    \u003e * Partially identifying information (Example: Full address incl. apartment number, if applicable)\n    \u003e * Information not supposed to be available to the attacker (Example: Private content kept in LINE Keep, for example personal photos) \n\n    \u003e _Category C – Max $1000:_\n    \u003e * Other types of sensitive user information (Example: Full name, List of previous purchases)\n\n3. **Other rewards: Special Bonus**\nThis category is for rewarding special contributions. This is entirely up to the LINE Bug Bounty team’s discretion, but the goal is to reward reports we consider exceptional. Reports that qualify based on the below will have their bounty increased by 15%\n\n A few examples of things we will be looking for are:\n    \u003e * Novel and innovative approach and exploit\n    \u003e * Creative chaining of exploits\n    \u003e * Quality proof of concepts*\n    \u003e * Easy to understand report and good description root cause of issue\n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LINE has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* ssrf-pub.line-dev.me (Public IP)\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n*  jpg\n*  jpeg\n* gif\n*  js\n* htm\n*  html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, Timeline photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LINE Corporation and our users safe \n\n----\n\n## LINE’s Hall of Fame\nHaving run LINE’s very own Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LINE team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-07-08T02:23:40.324Z"},{"id":3652879,"new_policy":"# LINE Bug Bounty rules at a glance\n\nThe LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LINE will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LINE will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLINE Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LINE's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LINE in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LINE Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers need to provide additional information for anti-social forces screening only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# In-Scope Assets\n\n| |Tier A Assets                        | | Tier B Assets |  | \n|-|-------------------------------| -|-|-| \n| | LINE Messenger - Chat ||  `*.line.me ` | \n| | LINE Messenger - VoIP ||  `*.line.naver.jp`| \n| | LINE Messenger - Timeline | | `*.line-apps.com`| \n| | LINE Messenger – Keep || \n| | LINE Messenger – OpenChat || \n| | LINE Messenger – News || \n| | LINE Messenger - Platform System |\n| | LINE Messenger - Applications **\\*** | \n\n_\\* **LINE Messenger Applications in scope (Tier A)**_\n\u003e - Windows: Microsoft Store Executable\n- macOS\n- iOS\n- Android\n- Lite\n- Chrome Extension \n\n----\n\n# Report Assessment and Bounty Calculations\n\nThe final bounty will be the *Base Bounty + PII (if any) + Special Bonus (if any)*\n\n1. **Base Bounty**\nMaximum reward is based on the bounty table. The report is then evaluated based on maximum reward, CVSS and an evaluation of the business impact.\n\n2. **Other rewards: Personal information leakage (PII)**\nWe aim to follow the below when awarding bounties, but the following should be considered a guideline and exceptions may apply.\n\n    \u003e _Category A – Max $5000:_\n    \u003e * Financially sensitive data (Example: Credit card details, incl. either CVC/CVV number and/or full card number)\n    \u003e * Biometric data (Example: Fingerprint features used for authentication)\n    \u003e * Official documents used for identification (Example: Passport)\n    \u003e * Any information covered by Japan's Personal Information Protection law (Example: Information that allows one to uniquely identifying a person)\n\n    \u003e _Category B – Max $2000:_\n    \u003e * Partially identifying information (Example: Full address incl. apartment number, if applicable)\n    \u003e * Information not supposed to be available to the attacker (Example: Private content kept in LINE Keep, for example personal photos) \n\n    \u003e _Category C – Max $1000:_\n    \u003e * Other types of sensitive user information (Example: Full name, List of previous purchases)\n\n3. **Other rewards: Special Bonus**\nThis category is for rewarding special contributions. This is entirely up to the LINE Bug Bounty team’s discretion, but the goal is to reward reports we consider exceptional. Reports that qualify based on the below will have their bounty increased by 15%\n\n A few examples of things we will be looking for are:\n    \u003e * Novel and innovative approach and exploit\n    \u003e * Creative chaining of exploits\n    \u003e * Quality proof of concepts*\n    \u003e * Easy to understand report and good description root cause of issue\n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LINE has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* ssrf-pub.line-dev.me (Public IP)\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n*  jpg\n*  jpeg\n* gif\n*  js\n* htm\n*  html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, Timeline photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LINE Corporation and our users safe \n\n----\n\n## LINE’s Hall of Fame\nHaving run LINE’s very own Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LINE team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-06-01T07:07:43.072Z"},{"id":3650549,"new_policy":"# LINE Bug Bounty rules at a glance\n\nThe LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LINE will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LINE will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLINE Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LINE's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LINE in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LINE Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers need to provide additional information for anti-social forces screening only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# In-Scope Assets\n\n| |Tier A Assets                        | | Tier B Assets |  | \n|-|-------------------------------| -|-|-| \n| | LINE Messenger - Chat ||  `*.line.me ` | \n| | LINE Messenger - VoIP ||  `*.line.naver.jp`| \n| | LINE Messenger - Timeline | | `*.line-apps.com`| \n| | LINE Messenger – Keep || \n| | LINE Messenger - Servers |\n| | LINE Messenger - Applications **\\*** | \n\n_\\* **LINE Messenger Applications in scope (Tier A)**_\n\u003e - Windows: Microsoft Store Executable\n- macOS\n- iOS\n- Android\n- Lite\n- Chrome Extension \n\n----\n\n# Report Assessment and Bounty Calculations\n\nThe final bounty will be the *Base Bounty + PII (if any) + Special Bonus (if any)*\n\n1. **Base Bounty**\nMaximum reward is based on the bounty table. The report is then evaluated based on maximum reward, CVSS and an evaluation of the business impact.\n\n2. **Other rewards: Personal information leakage (PII)**\nWe aim to follow the below when awarding bounties, but the following should be considered a guideline and exceptions may apply.\n\n    \u003e _Category A – Max $5000:_\n    \u003e * Financially sensitive data (Example: Credit card details, incl. either CVC/CVV number and/or full card number)\n    \u003e * Biometric data (Example: Fingerprint features used for authentication)\n    \u003e * Official documents used for identification (Example: Passport)\n    \u003e * Any information covered by Japan's Personal Information Protection law (Example: Information that allows one to uniquely identifying a person)\n\n    \u003e _Category B – Max $2000:_\n    \u003e * Partially identifying information (Example: Full address incl. apartment number, if applicable)\n    \u003e * Information not supposed to be available to the attacker (Example: Private content kept in LINE Keep, for example personal photos) \n\n    \u003e _Category C – Max $1000:_\n    \u003e * Other types of sensitive user information (Example: Full name, List of previous purchases)\n\n3. **Other rewards: Special Bonus**\nThis category is for rewarding special contributions. This is entirely up to the LINE Bug Bounty team’s discretion, but the goal is to reward reports we consider exceptional. Reports that qualify based on the below will have their bounty increased by 15%\n\n A few examples of things we will be looking for are:\n    \u003e * Novel and innovative approach and exploit\n    \u003e * Creative chaining of exploits\n    \u003e * Quality proof of concepts*\n    \u003e * Easy to understand report and good description root cause of issue\n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LINE has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* ssrf-pub.line-dev.me (Public IP)\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n*  jpg\n*  jpeg\n* gif\n*  js\n* htm\n*  html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, Timeline photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LINE Corporation and our users safe \n\n----\n\n## LINE’s Hall of Fame\nHaving run LINE’s very own Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LINE team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-30T12:33:25.710Z"},{"id":3643468,"new_policy":"# LINE Bug Bounty rules at a glance\n\nThe LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LINE will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LINE will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLINE Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LINE's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LINE in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LINE Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers need to provide additional information for anti-social forces screening only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# In-Scope Assets\n\n| |Tier A Assets                        | | Tier B Assets |  | \n|-|-------------------------------| -|-|-| \n| | LINE Messenger - Chat ||  `*.line.me ` | \n| | LINE Messenger - VoIP ||  `*.line.naver.jp`| \n| | LINE Messenger - Timeline | | `*.line-apps.com`| \n| | LINE Messenger – Keep || \n| | LINE Messenger - Servers |\n| | LINE Messenger - Applications **\\*** | \n\n_\\* **LINE Messenger Applications in scope (Tier A)**_\n\u003e - Windows: Microsoft Store Executable\n- macOS\n- iOS\n- Android\n- Lite\n- Chrome Extension \n\n----\n\n# Report Assessment and Bounty Calculations\n\nThe final bounty will be the *Base Bounty + PII (if any) + Special Bonus (if any)*\n\n1. **Base Bounty**\nMaximum reward is based on the bounty table. The report is then evaluated based on maximum reward, CVSS and an evaluation of the business impact.\n\n2. **Other rewards: Personal information leakage (PII)**\nWe aim to follow the below when awarding bounties, but the following should be considered a guideline and exceptions may apply.\n\n    \u003e _Category A – Max $5000:_\n    \u003e * Financially sensitive data (Example: Credit card details, incl. either CVC/CVV number and/or full card number)\n    \u003e * Biometric data (Example: Fingerprint features used for authentication)\n    \u003e * Official documents used for identification (Example: Passport)\n    \u003e * Any information covered by Japan's Personal Information Protection law (Example: Information that allows one to uniquely identifying a person)\n\n    \u003e _Category B – Max $2000:_\n    \u003e * Partially identifying information (Example: Full address incl. apartment number, if applicable)\n    \u003e * Information not supposed to be available to the attacker (Example: Private content kept in LINE Keep, for example personal photos) \n\n    \u003e _Category C – Max $1000:_\n    \u003e * Other types of sensitive user information (Example: Full name, List of previous purchases)\n\n3. **Other rewards: Special Bonus**\nThis category is for rewarding special contributions. This is entirely up to the LINE Bug Bounty team’s discretion, but the goal is to reward reports we consider exceptional. A few examples of things we will be looking for are:\n * Novel and innovative approach and exploit\n * Creative chaining of exploits\n * Quality proof of concepts*\n * Easy to understand report and good description root cause of issue\n\n    \u003e **Reports that qualify based on the above will have their bounty increased by 15%.**\n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LINE has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* ssrf-pub.line-dev.me (Public IP)\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n*  jpg\n*  jpeg\n* gif\n*  js\n* htm\n*  html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, Timeline photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LINE Corporation and our users safe \n\n----\n\n## LINE’s Hall of Fame\nHaving run LINE’s very own Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LINE team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-10-08T03:40:00.856Z"},{"id":3642775,"new_policy":"# LINE Bug Bounty rules at a glance\n\nThe LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LINE will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LINE will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLINE Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LINE's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LINE in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LINE Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers need to provide additional information for anti-social forces screening only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# In-Scope Assets\n\n| |Tier A Assets                        | | Tier B Assets |  | \n|-|-------------------------------| -|-|-| \n| | LINE Messenger - Chat ||  `*.line.me ` | \n| | LINE Messenger - VoIP ||  `*.line.naver.jp`| \n| | LINE Messenger - Timeline | | `*.line-apps.com`| \n| | LINE Messenger – Keep || \n| | LINE Messenger - Servers |\n| | LINE Messenger - Applications **\\*** | \n\n_\\* **LINE Messenger Applications in scope (Tier A)**_\n\u003e - Windows: Microsoft Store Executable\n- macOS\n- iOS\n- Android\n- Lite\n- Chrome Extension \n\n----\n\n# Report Assessment and Bounty Calculations\n\nThe final bounty will be the *Base Bounty + PII (if any) + Special Bonus (if any)*\n\n1. **Base Bounty**\nMaximum reward is based on the bounty table. The report is then evaluated based on maximum reward, CVSS and an evaluation of the business impact.\n\n2. **Other rewards: Personal information leakage (PII)**\nWe aim to follow the below when awarding bounties, but the following should be considered a guideline and exceptions may apply.\n\n    \u003e _Category A – Max $5000:_\n    \u003e * Financially sensitive data (Example: Credit card details, incl. either CVC/CVV number and/or full card number)\n    \u003e * Biometric data (Example: Fingerprint features used for authentication)\n    \u003e * Official documents used for identification (Example: Passport)\n    \u003e * Any information covered by Japan's Personal Information Protection law (Example: Information that allows one to uniquely identifying a person)\n\n    \u003e _Category B – Max $2000:_\n    \u003e * Partially identifying information (Example: Full address incl. apartment number, if applicable)\n    \u003e * Information not supposed to be available to the attacker (Example: Private content kept in LINE Keep, for example personal photos) \n\n    \u003e _Category C – Max $1000:_\n    \u003e * Other types of sensitive user information (Example: Full name, List of previous purchases)\n\n3. **Other rewards: Special Bonus**\nThis category is for rewarding special contributions. This is entirely up to the LINE Bug Bounty team’s discretion, but the goal is to reward reports we consider exceptional. A few examples of things we will be looking for are:\n * Novel and innovate approach and exploit\n * Creative chaining of exploits\n * Quality proof of concepts*\n * Easy to understand report and good description root cause of issue\n\n    \u003e **Reports that qualify based on the above will have their bounty increased by 15%.**\n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LINE has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* ssrf-pub.line-dev.me (Public IP)\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n*  jpg\n*  jpeg\n* gif\n*  js\n* htm\n*  html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, Timeline photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LINE Corporation and our users safe \n\n----\n\n## LINE’s Hall of Fame\nHaving run LINE’s very own Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LINE team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-24T04:10:31.925Z"},{"id":3641355,"new_policy":"# LINE Bug Bounty rules at a glance\n\nThe LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LINE will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LINE will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLINE Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LINE's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LINE in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LINE Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers need to provide additional information for anti-social forces screening only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# In-Scope Assets\n\n| |Tier A Assets                        | | Tier B Assets |  | \n|-|-------------------------------| -|-|-| \n| | LINE Messenger - Chat ||  `*.line.me ` | \n| | LINE Messenger - VoIP ||  `*.line.naver.jp`| \n| | LINE Messenger - Timeline | | `*.line-apps.com`| \n| | LINE Messenger – Keep || \n| | LINE Messenger - Servers |\n| | LINE Messenger - Applications **\\*** | \n\n_\\* **LINE Messenger Applications in scope (Tier A)**_\n\u003e - Windows: Microsoft Store Executable\n- macOS\n- iOS\n- Android\n- Lite\n- Chrome Extension \n\n----\n\n# Report Assessment and Bounty Calculations\n\nThe final bounty will be the *Base Bounty + PII (if any) + Special Bonus (if any)*\n\n1. **Base Bounty**\nMaximum reward is based on the bounty table. The report is then evaluated based on maximum reward, CVSS and an evaluation of the business impact.\n\n2. **Other rewards: Personal information leakage (PII)**\nWe aim to follow the below when awarding bounties, but the following should be considered a guideline and exceptions may apply.\n\n    \u003e _Category A – Max $5000:_\n    \u003e * Financially sensitive data (Example: Credit card details, incl. either CVC/CVV number and/or full card number)\n    \u003e * Biometric data (Example: Fingerprint features used for authentication)\n    \u003e * Official documents used for identification (Example: Passport)\n    \u003e * Any information covered by Japan's Personal Information Protection law (Example: Information that allows one to uniquely identifying a person)\n\n    \u003e _Category B – Max $2000:_\n    \u003e * Partially identifying information (Example: Full address incl. apartment number, if applicable)\n    \u003e * Information not supposed to be available to the attacker (Example: Private content kept in LINE Keep, for example personal photos) \n    \u003e * LINE’s unique user identifier (User Identifiers of users not added as friends)\n    \u003e     * Disclosure of your own ID and IDs of users added as friends does not qualify\n\n    \u003e _Category C – Max $1000:_\n    \u003e * Other types of sensitive user information (Example: Full name, List of previous purchases)\n\n3. **Other rewards: Special Bonus**\nThis category is for rewarding special contributions. This is entirely up to the LINE Bug Bounty team’s discretion, but the goal is to reward reports we consider exceptional. A few examples of things we will be looking for are:\n * Novel and innovate approach and exploit\n * Creative chaining of exploits\n * Quality proof of concepts*\n * Easy to understand report and good description root cause of issue\n\n    \u003e **Reports that qualify based on the above will have their bounty increased by 15%.**\n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LINE has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* ssrf-pub.line-dev.me (Public IP)\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n*  jpg\n*  jpeg\n* gif\n*  js\n* htm\n*  html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, Timeline photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LINE Corporation and our users safe \n\n----\n\n## LINE’s Hall of Fame\nHaving run LINE’s very own Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LINE team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-08-17T03:38:27.500Z"},{"id":3641354,"new_policy":"# LINE Bug Bounty rules at a glance\n\nThe LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LINE will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LINE will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLINE Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LINE's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LINE in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LINE Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers need to provide additional information for anti-social forces screening only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# In-Scope Assets\n\n| |Tier A Assets                        | | Tier B Assets |  | \n|-|-------------------------------| -|-|-| \n| | LINE Messenger - Chat ||  `*.line.me ` | \n| | LINE Messenger - VoIP ||  `*.line.naver.jp`| \n| | LINE Messenger - Timeline | | `*.line-apps.com`| \n| | LINE Messenger – Keep || \n| | LINE Messenger - Servers |\n| | LINE Messenger - Applications **\\*** | \n\n_\\* **LINE Messenger Applications in scope (Tier A)**_\n\u003e - Windows: Microsoft Store Executable\n- macOS\n- iOS\n- Android\n- Lite\n- Chrome Extension \n\n----\n\n# Report Assessment and Bounty Calculations\n\nThe final bounty will be the *Base Bounty + PII (if any) + Special Bonus (if any)*\n\n1. **Base Bounty**\nMaximum reward is based on the bounty table. The report is then evaluated based on maximum reward, CVSS and an evaluation of the business impact.\n\n2. **Other rewards: Personal information leakage (PII)**\nWe aim to follow the below when awarding bounties, but the following should be considered a guideline and exceptions may apply.\n\n    \u003e _Category A – Max $5000:_\n    \u003e * Financially sensitive data (Example: Credit card details, incl. either CVC/CVV number and/or full card number)\n    \u003e * Biometric data (Example: Fingerprint features used for authentication)\n    \u003e * Official documents used for identification (Example: Passport)\n    \u003e * Any information covered by Japan's Personal Information Protection law (Example: Information that allows one to uniquely identifying a person)\n\n    \u003e _Category B – Max $2000:_\n    \u003e * Partially identifying information (Example: Full address incl. apartment number, if applicable)\n    \u003e * Information not supposed to be available to the attacker (Example: Private content kept in LINE Keep, for example personal photos) \n    \u003e * LINE’s unique user identifier (User Identifiers of users not added as friends)\n    \u003e * Disclosure of your own ID and IDs of users added as friends does not qualify\n    \u003e     * Disclosure of your own ID and IDs of users added as friends does not qualify\n\n    \u003e _Category C – Max $1000:_\n    \u003e * Other types of sensitive user information (Example: Full name, List of previous purchases)\n\n3. **Special Bonus**\nThis category is for rewarding special contributions. This is entirely up to the LINE Bug Bounty team’s discretion, but the goal is to reward reports we consider exceptional. A few examples of things we will be looking for are:\n * Novel and innovate approach and exploit\n * Creative chaining of exploits\n * Quality proof of concepts*\n * Easy to understand report and good description root cause of issue\n\n    \u003e **Reports that qualify based on the above will have their bounty increased by 15%.**\n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LINE has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* ssrf-pub.line-dev.me (Public IP)\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n*  jpg\n*  jpeg\n* gif\n*  js\n* htm\n*  html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, Timeline photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LINE Corporation and our users safe \n\n----\n\n## LINE’s Hall of Fame\nHaving run LINE’s very own Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LINE team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-08-17T03:34:17.426Z"},{"id":3641346,"new_policy":"# LINE Bug Bounty rules at a glance\n\nThe LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LINE will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LINE will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLINE Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LINE's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LINE in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LINE Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n* You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers need to provide additional information for anti-social forces screening only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# Scope\n\n**_Tier A Assets - LINE Messenger (Client, Related servers)_**\nLINE Messenger - Chat\nLINE Messenger - VoIP\nLINE Messenger - Timeline\nLINE Messenger – Keep\nLINE Messenger - Servers\nLINE Messenger:\n* Windows: Microsoft Store Executable\n* macOS\n* iOS\n* Android\n* Lite\n* Chrome Extension\n\n\n**_Tier B Assets - LINE LINE Family services_**\n*.line-apps.com\n*.line.naver.jp\n*.line.me\n\n----\n\n# Report Assessment and Bounty Calculations\n\nThe final bounty will be the *Base Bounty + PII (if any) + Special Bonus (if any)*\n\n1. **Base Bounty**\nMaximum reward is based on the bounty table. The report is then evaluated based on maximum reward, CVSS and an evaluation of the business impact.\n\n2. **Other rewards: Personal information leakage (PII)**\nWe aim to follow the below when awarding bounties, but the following should be considered a guideline and exceptions may apply.\n\n    \u003e _Category A – Max $5000:_\n    \u003e * Financially sensitive data (Example: Credit card details, incl. either CVC/CVV number and/or full card number)\n    \u003e * Biometric data (Example: Fingerprint features used for authentication)\n    \u003e * Official documents used for identification (Example: Passport)\n    \u003e * Any information covered by Japan's Personal Information Protection law (Example: Information that allows one to uniquely identifying a person)\n\n    \u003e _Category B – Max $2000:_\n    \u003e * Partially identifying information (Example: Full address incl. apartment number, if applicable)\n    \u003e * Information not supposed to be available to the attacker (Example: Private content kept in LINE Keep, for example personal photos) \n    \u003e * LINE’s unique user identifier (User Identifiers of users not added as friends)\n    \u003e * Disclosure of your own ID and IDs of users added as friends does not qualify\n    \u003e     * Disclosure of your own ID and IDs of users added as friends does not qualify\n\n    \u003e _Category C – Max $1000:_\n    \u003e * Other types of sensitive user information (Example: Full name, List of previous purchases)\n\n3. **Special Bonus**\nThis category is for rewarding special contributions. This is entirely up to the LINE Bug Bounty team’s discretion, but the goal is to reward reports we consider exceptional. A few examples of things we will be looking for are:\n * Novel and innovate approach and exploit\n * Creative chaining of exploits\n * Quality proof of concepts*\n * Easy to understand report and good description root cause of issue\n\n    \u003e **Reports that qualify based on the above will have their bounty increased by 15%.**\n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LINE has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* ssrf-pub.line-dev.me (Public IP)\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n*  jpg\n*  jpeg\n* gif\n*  js\n* htm\n*  html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, Timeline photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LINE Corporation and our users safe \n\n----\n\n## LINE’s Hall of Fame\nHaving run LINE’s very own Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LINE team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-08-17T02:40:50.985Z"},{"id":3641345,"new_policy":"# LINE Bug Bounty rules at a glance\n\nThe LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information and tax form. Afterwards, the process speeds up significantly. See Eligibility Requirements section for details\n* All bounty amounts indicated in our rewards table are the actual amounts that will be paid to hackers, regardless of country of residence. This means that if a report is rewarded $500, that is the amount that will be paid, regardless of country of residence. LINE will now be covering the cost of taxes applied to all bounties. The bounties are subjected to either 20.42% tax (For foreign residents) or 10.21% tax (For reporters residing in Japan) - all of which LINE will be covering.   \n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\nPlease view the Terms Use here: https://bugbounty.linecorp.com/en/terms_of_use/.\n\n----\n\n#Response Targets \nLINE Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information and any information obtained using the vulnerability as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* In the event the vulnerability information and/or any information obtained using the vulnerability contains personal information of a third party, or in any case where such information is accessed, the Participant cannot disclose, leak, or make public such personal information without the express prior written consent of the relevant third party.\n* Notwithstanding the other stipulations, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LINE's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* With regards to personal information of others (PII), acts such as accessing, deleting, modifying, storing, manipulating data (or similar acts), shall be prohibited. Upon accessing any personal information while conducting testing, the Hacker shall cease action immediately, report the details to LINE in their vulnerability report and delete such personal information and all reproductions thereof from any terminal, such as a computer.\n* Disclosure, leaking and publication of any personal information accessed is also prohibited.\n* Be able to communicate in Japanese or English\n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program. \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. \n\n----\n\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be a current employee of the Company or an affiliated company and not belong to the Company or an affiliated company within the last 6 months\n* Not be an entity or part of an entity that had carried out within last 6 months or is carrying out a project that is being advanced with the Company     \n* Not be a member of an anti-social group or a related party thereof\n\nIn order to prevent transactions with anti-social forces (反社会的勢力), as required by Japanese government guidelines, LINE Corporation is required to perform Hacker screening before issuing bounty payments.  If you are not a Japanese resident, you can apply for tax reduction or exemption as follows:     \n    * You may still choose to submit documents and have your bounty processed according to the tax treaty between the country you reside in and Japan. **Do note that this will not influence the amount you are paid and will only be eligible for use for tax deductions in your country.** If you want to complete this process, please state so clearly in the report or as a comment to the report.\n\nHackers need to provide additional information for anti-social forces screening only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/).\n\nIn order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below:\n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n\n----\n\n# Scope\n\n**_Tier A Assets - LINE Messenger (Client, Related servers)_**\nLINE Messenger - Chat\nLINE Messenger - VoIP\nLINE Messenger - Timeline\nLINE Messenger – Keep\nLINE Messenger - Servers\nLINE Messenger:\n* Windows: Microsoft Store Executable\n* macOS\n* iOS\n* Android\n* Lite\n* Chrome Extension\n\n\n**_Tier B Assets - LINE LINE Family services_**\n*.line-apps.com\n*.line.naver.jp\n*.line.me\n\n----\n\n# Report Assessment and Bounty Calculations\n\nThe final bounty will be the *Base Bounty + PII (if any) + Special Bonus (if any)*\n\n1. **Base Bounty**\nMaximum reward is based on the bounty table. The report is then evaluated based on maximum reward, CVSS and an evaluation of the business impact.\n\n2. **Other rewards: Personal information leakage (PII)**\nWe aim to follow the below when awarding bounties, but the following should be considered a guideline and exceptions may apply.\n\n    \u003e _Category A – Max $5000:_\n    \u003e * Financially sensitive data (Example: Credit card details, incl. either CVC/CVV number and/or full card number)\n    \u003e * Biometric data (Example: Fingerprint features used for authentication)\n    \u003e * Official documents used for identification (Example: Passport)\n    \u003e * Any information covered by Japan's Personal Information Protection law (Example: Information that allows one to uniquely identifying a person)\n\n    \u003e _Category B – Max $2000:_\n    \u003e * Partially identifying information (Example: Full address incl. apartment number, if applicable)\n    \u003e * Information not supposed to be available to the attacker (Example: Private content kept in LINE Keep, for example personal photos) \n    \u003e * LINE’s unique user identifier (User Identifiers of users not added as friends)\n    \u003e * Disclosure of your own ID and IDs of users added as friends does not qualify\n    \u003e     * Disclosure of your own ID and IDs of users added as friends does not qualify\n\n    \u003e _Category C – Max $1000:_\n    \u003e * Other types of sensitive user information (Example: Full name, List of previous purchases)\n\n3. **Special Bonus**\nThis category is for rewarding special contributions. This is entirely up to the LINE Bug Bounty team’s discretion, but the goal is to reward reports we consider exceptional. A few examples of things we will be looking for are:\n * Novel and innovate approach and exploit\n * Creative chaining of exploits\n * Quality proof of concepts*\n * Easy to understand report and good description root cause of issue\n\n    \u003e **Reports that qualify based on the above will have their bounty increased by 15%.**\n\n----\n\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LINE has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* ssrf-pub.line-dev.me (Public IP)\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n*  jpg\n*  jpeg\n* gif\n*  js\n* htm\n*  html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, Timeline photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LINE Corporation and our users safe \n\n----\n\n## LINE’s Hall of Fame\nHaving run LINE’s very own Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LINE team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-08-17T02:33:02.220Z"},{"id":3640381,"new_policy":"# LINE Bug Bounty rules at a glance\nThe LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information and tax form. Afterwards, the process speeds up significantly. See **Eligibility Requirements** section for details\n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\n----\n\n#Response Targets \nLINE Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information and tax form). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* Notwithstanding the other stipulations of this Article, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LINE's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* Please note that any bounty payments that may apply can only be issued to an adult \n* Not be an employee of the Company or an affiliated company \n* Not be an entity or part of an entity that had carried out or is carrying out a project that is being advanced with the Company \n* Be able to communicate in Japanese or English \n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. Following this, only hand-written completion of the Tax form will qualify you for the maximum bounty reward (after taxes)\n\n----\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LINE has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* ssrf-pub.line-dev.me (Public IP)\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n*  jpg\n*  jpeg\n* gif\n*  js\n* htm\n*  html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, Timeline photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure or lack of security controls on Google Maps API keys\n* Exposure of API keys with no security impact\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n\n----\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be an employee of the Company or an affiliated company\n* Not be an entity or part of an entity that had carried out or is carrying out a project that is being advanced with the Company\n\nIn order to prevent transactions with anti-social forces  (反社会的勢力), as required by Japanese government [guidelines](http://www.moj.go.jp/content/000061957.pdf), LINE Corporation is required to perform Hacker screening before issuing bounty payments. In addition, all bounty payments are subject to tax withholding at the source. If you are not a Japanese resident, you can apply for tax reduction or exemption as described in the *Withholding Tax* section below.\n\nHackers need to provide additional information for anti-social forces screening and tax processing only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/#article_11).\n\nIn order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below: \n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n2. **(RECOMMENDED) Income tax convention form submission:** Fill out and submit the APPLICATION FORM FOR INCOME TAX CONVENTION (JP: 租税条約に関する届出書; hereafter referred to as 'Tax Form') next, to ensure maximum bounty payout (refer to the entire *Withholding Tax* section for details).\n\nLINE will reach out to you and confirm the bounty payout, once the payment is ready to be issued. \n\n----\n# Withholding Tax\n\nLINE Corporation will pay out your bounty, after withholding the tax rate applicable for your country of residence.\n\nFor example, if you are a resident of Singapore and are awarded a $1,000 bounty, your tax rate is 10%, and the final bounty payout will be $900 after taxes. For a full list of countries and their respective tax rates, please refer to *Applicable Tax Rates* section below. \n\n## Applicable Tax Rates\n\nIf you are a Japanese resident, a tax rate of **10.21%** will be withheld. You will not need to submit the Tax form.\n\nIf you are not a Japanese resident and do not fill out the Tax Form, a fixed rate of **20.42%** will be withheld from the awarded bounty.\n\nIf you fill out and submit the Tax Form (and any additional documents, if required), the effective tax rate depends on your country of residence. A list of countries and their applicable tax rates is given below for your reference. Note that tax rates are subject to change and that this list is not authoritative.\n\nList of countries and applicable tax rates: {F518203}\n\n## Withholding Tax Exemption or Reduction\n\nNote that these procedures are independent from HackerOne's Tax Form (W9).\n\nIf you are a Japanese resident, you are not eligible for tax reduction or exemption. \n\nIf you are not a Japanese resident, you may be eligible for tax exemption or reduction, if your country of residence has a tax agreement with Japan. See [Japan's Tax Convention Network](https://www.mof.go.jp/english/tax_policy/tax_conventions/international_182.htm) for details.\n\nTo apply for tax exemption or reduction, please submit the provided Tax Form. Any tax reduction or exemption you are eligible for will be applied after the form is processed by Japanese tax authorities. \n\nIf you are a resident of any of the countries listed below, proof of residency is also required.\n* Australia\n* Austria\n* Czech Republic\n* Denmark\n* France\n* Germany\n* Hungary\n* Poland\n* Slovakia\n* Sri Lanka\n* Sweden\n* Switzerland\n* Turkey\n* United Kingdom\n* United States ([Form 6166](https://www.irs.gov/individuals/international-taxpayers/form-6166-certification-of-us-tax-residency))\n\n----\n## Tax Form\n\nYou can download the Tax From and reference samples below. Note the format is different if you are a resident of Taiwan (ROC).\n\n* Tax Form (all countries): {F515592}\n * sample: {F515593}\n* Tax Form (Taiwan): {F517691}\n * sample: {F517692}\n\n**NOTE:**\nFor countries eligible for tax exemption (tax rate 0%) the Tax Form has an expiration date. The expiration date is 3 years from the submission date (tax office stamp date).\n\nThere is no Tax Form expiration date, if your country is not eligible for tax exemption (tax rate \u003e 0%).\n\n## Instructions for Filling out the Tax Form\n\nPlease follow these instructions to ensure smooth withholding tax processing and bounty payout.\n\n * Print out the Tax Form, fill out the required information, and sign the document. Make sure to use a pen that uses blue or black ink. \n * Your full name, home address, date of birth and phone number (with country code) should match the information you provided us for Anti-Social Forces screening.\n * Mail the tax form to LINE Corporation’s office via post. The address is below: \n\n\u003e Attn: Person in charge of LINE Security Bug Bounty Program \n\u003e Security Center, LINE Corporation \n\u003e 21st floor JR Shinjuku Miraina Tower, 4-1-6 Shinjuku, Shinjuku Ward, \n\u003e Tokyo 160-0021 \n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LINE Corporation and our users safe \n\n----\n\n## LINE’s Hall of Fame\nHaving run LINE’s very own Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LINE team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-24T03:43:02.854Z"},{"id":3639774,"new_policy":"# LINE Bug Bounty rules at a glance\nThe LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information and tax form. Afterwards, the process speeds up significantly. See **Eligibility Requirements** section for details\n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\n----\n\n#Response Targets \nLINE Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information and tax form). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* Notwithstanding the other stipulations of this Article, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LINE's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* Please note that any bounty payments that may apply can only be issued to an adult \n* Not be an employee of the Company or an affiliated company \n* Not be an entity or part of an entity that had carried out or is carrying out a project that is being advanced with the Company \n* Be able to communicate in Japanese or English \n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. Following this, only hand-written completion of the Tax form will qualify you for the maximum bounty reward (after taxes)\n\n----\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n\n# SSRF Testing \n\n**LINE has created an internal service for easier testing of SSRF on our assets.**  It runs on multiple ports and can be reached on multiple IPs and hostnames. It also supports different requests and will respond with a flag to every request.\n\n## _IMPORTANT NOTES_\n*  Submission: Please include the flag you received from the request in your report so we can verify that you hit the endpoint.\n* Testing: Please also include a random header or parameter (if possible) with your H1 username, so we can identify your requests easily.\n\n## Usage:\n* On port 80 and 8080 it accepts any data over a raw socket (any protocol)\n* On port 443 and 4443 it accepts any data that is SSL wrapped (encrypted)\n\nIt can be reached through the following domain names and IPs, to test different conditions:\n* ssrf-pub.line-dev.me (Public IP)\n* bb.line-dev.me (Private IP)\n* ssrf.line-dev.me (Private IP)\n* 10.231.191.161 (Private IP)\n* 147.92.156.240 (Public IP)\n\nIt also supports the following formats:\n* png\n*  jpg\n*  jpeg\n* gif\n*  js\n* htm\n*  html\n\nIf accessing another format (*.xz) or any path(/notHere), the flag will be included at the top of the response, in text form. _Please remember to add your H1 username as a header or parameter while you are testing, so we can quickly verify that you hit the endpoint._ Examples-\n* **Header:**\n    * X-HackerOne: MyUserName\n* **Parameter:**\n    * ?Hackerone=MyUserName\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, Timeline photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure of API keys with no security impact (Google Maps API keys etc.)\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n\n----\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be an employee of the Company or an affiliated company\n* Not be an entity or part of an entity that had carried out or is carrying out a project that is being advanced with the Company\n\nIn order to prevent transactions with anti-social forces  (反社会的勢力), as required by Japanese government [guidelines](http://www.moj.go.jp/content/000061957.pdf), LINE Corporation is required to perform Hacker screening before issuing bounty payments. In addition, all bounty payments are subject to tax withholding at the source. If you are not a Japanese resident, you can apply for tax reduction or exemption as described in the *Withholding Tax* section below.\n\nHackers need to provide additional information for anti-social forces screening and tax processing only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/#article_11).\n\nIn order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below: \n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n2. **(RECOMMENDED) Income tax convention form submission:** Fill out and submit the APPLICATION FORM FOR INCOME TAX CONVENTION (JP: 租税条約に関する届出書; hereafter referred to as 'Tax Form') next, to ensure maximum bounty payout (refer to the entire *Withholding Tax* section for details).\n\nLINE will reach out to you and confirm the bounty payout, once the payment is ready to be issued. \n\n----\n# Withholding Tax\n\nLINE Corporation will pay out your bounty, after withholding the tax rate applicable for your country of residence.\n\nFor example, if you are a resident of Singapore and are awarded a $1,000 bounty, your tax rate is 10%, and the final bounty payout will be $900 after taxes. For a full list of countries and their respective tax rates, please refer to *Applicable Tax Rates* section below. \n\n## Applicable Tax Rates\n\nIf you are a Japanese resident, a tax rate of **10.21%** will be withheld. You will not need to submit the Tax form.\n\nIf you are not a Japanese resident and do not fill out the Tax Form, a fixed rate of **20.42%** will be withheld from the awarded bounty.\n\nIf you fill out and submit the Tax Form (and any additional documents, if required), the effective tax rate depends on your country of residence. A list of countries and their applicable tax rates is given below for your reference. Note that tax rates are subject to change and that this list is not authoritative.\n\nList of countries and applicable tax rates: {F518203}\n\n## Withholding Tax Exemption or Reduction\n\nNote that these procedures are independent from HackerOne's Tax Form (W9).\n\nIf you are a Japanese resident, you are not eligible for tax reduction or exemption. \n\nIf you are not a Japanese resident, you may be eligible for tax exemption or reduction, if your country of residence has a tax agreement with Japan. See [Japan's Tax Convention Network](https://www.mof.go.jp/english/tax_policy/tax_conventions/international_182.htm) for details.\n\nTo apply for tax exemption or reduction, please submit the provided Tax Form. Any tax reduction or exemption you are eligible for will be applied after the form is processed by Japanese tax authorities. \n\nIf you are a resident of any of the countries listed below, proof of residency is also required.\n* Australia\n* Austria\n* Czech Republic\n* Denmark\n* France\n* Germany\n* Hungary\n* Poland\n* Slovakia\n* Sri Lanka\n* Sweden\n* Switzerland\n* Turkey\n* United Kingdom\n* United States ([Form 6166](https://www.irs.gov/individuals/international-taxpayers/form-6166-certification-of-us-tax-residency))\n\n----\n## Tax Form\n\nYou can download the Tax From and reference samples below. Note the format is different if you are a resident of Taiwan (ROC).\n\n* Tax Form (all countries): {F515592}\n * sample: {F515593}\n* Tax Form (Taiwan): {F517691}\n * sample: {F517692}\n\n**NOTE:**\nFor countries eligible for tax exemption (tax rate 0%) the Tax Form has an expiration date. The expiration date is 3 years from the submission date (tax office stamp date).\n\nThere is no Tax Form expiration date, if your country is not eligible for tax exemption (tax rate \u003e 0%).\n\n## Instructions for Filling out the Tax Form\n\nPlease follow these instructions to ensure smooth withholding tax processing and bounty payout.\n\n * Print out the Tax Form, fill out the required information, and sign the document. Make sure to use a pen that uses blue or black ink. \n * Your full name, home address, date of birth and phone number (with country code) should match the information you provided us for Anti-Social Forces screening.\n * Mail the tax form to LINE Corporation’s office via post. The address is below: \n\n\u003e Attn: Person in charge of LINE Security Bug Bounty Program \n\u003e Security Center, LINE Corporation \n\u003e 21st floor JR Shinjuku Miraina Tower, 4-1-6 Shinjuku, Shinjuku Ward, \n\u003e Tokyo 160-0021 \n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LINE Corporation and our users safe \n\n----\n\n## LINE’s Hall of Fame\nHaving run LINE’s very own Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LINE team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-20T02:28:15.541Z"},{"id":3628566,"new_policy":"# LINE Bug Bounty rules at a glance\nThe LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information and tax form. Afterwards, the process speeds up significantly. See **Eligibility Requirements** section for details\n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\n----\n\n#Response Targets \nLINE Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information and tax form). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* Notwithstanding the other stipulations of this Article, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LINE's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* Please note that any bounty payments that may apply can only be issued to an adult \n* Not be an employee of the Company or an affiliated company \n* Not be an entity or part of an entity that had carried out or is carrying out a project that is being advanced with the Company \n* Be able to communicate in Japanese or English \n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. Following this, only hand-written completion of the Tax form will qualify you for the maximum bounty reward (after taxes)\n\n----\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, Timeline photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure of API keys with no security impact (Google Maps API keys etc.)\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n\n----\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be an employee of the Company or an affiliated company\n* Not be an entity or part of an entity that had carried out or is carrying out a project that is being advanced with the Company\n\nIn order to prevent transactions with anti-social forces  (反社会的勢力), as required by Japanese government [guidelines](http://www.moj.go.jp/content/000061957.pdf), LINE Corporation is required to perform Hacker screening before issuing bounty payments. In addition, all bounty payments are subject to tax withholding at the source. If you are not a Japanese resident, you can apply for tax reduction or exemption as described in the *Withholding Tax* section below.\n\nHackers need to provide additional information for anti-social forces screening and tax processing only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/#article_11).\n\nIn order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below: \n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n2. **(RECOMMENDED) Income tax convention form submission:** Fill out and submit the APPLICATION FORM FOR INCOME TAX CONVENTION (JP: 租税条約に関する届出書; hereafter referred to as 'Tax Form') next, to ensure maximum bounty payout (refer to the entire *Withholding Tax* section for details).\n\nLINE will reach out to you and confirm the bounty payout, once the payment is ready to be issued. \n\n----\n# Withholding Tax\n\nLINE Corporation will pay out your bounty, after withholding the tax rate applicable for your country of residence.\n\nFor example, if you are a resident of Singapore and are awarded a $1,000 bounty, your tax rate is 10%, and the final bounty payout will be $900 after taxes. For a full list of countries and their respective tax rates, please refer to *Applicable Tax Rates* section below. \n\n## Applicable Tax Rates\n\nIf you are a Japanese resident, a tax rate of **10.21%** will be withheld. You will not need to submit the Tax form.\n\nIf you are not a Japanese resident and do not fill out the Tax Form, a fixed rate of **20.42%** will be withheld from the awarded bounty.\n\nIf you fill out and submit the Tax Form (and any additional documents, if required), the effective tax rate depends on your country of residence. A list of countries and their applicable tax rates is given below for your reference. Note that tax rates are subject to change and that this list is not authoritative.\n\nList of countries and applicable tax rates: {F518203}\n\n## Withholding Tax Exemption or Reduction\n\nNote that these procedures are independent from HackerOne's Tax Form (W9).\n\nIf you are a Japanese resident, you are not eligible for tax reduction or exemption. \n\nIf you are not a Japanese resident, you may be eligible for tax exemption or reduction, if your country of residence has a tax agreement with Japan. See [Japan's Tax Convention Network](https://www.mof.go.jp/english/tax_policy/tax_conventions/international_182.htm) for details.\n\nTo apply for tax exemption or reduction, please submit the provided Tax Form. Any tax reduction or exemption you are eligible for will be applied after the form is processed by Japanese tax authorities. \n\nIf you are a resident of any of the countries listed below, proof of residency is also required.\n* Australia\n* Austria\n* Czech Republic\n* Denmark\n* France\n* Germany\n* Hungary\n* Poland\n* Slovakia\n* Sri Lanka\n* Sweden\n* Switzerland\n* Turkey\n* United Kingdom\n* United States ([Form 6166](https://www.irs.gov/individuals/international-taxpayers/form-6166-certification-of-us-tax-residency))\n\n----\n## Tax Form\n\nYou can download the Tax From and reference samples below. Note the format is different if you are a resident of Taiwan (ROC).\n\n* Tax Form (all countries): {F515592}\n * sample: {F515593}\n* Tax Form (Taiwan): {F517691}\n * sample: {F517692}\n\n**NOTE:**\nFor countries eligible for tax exemption (tax rate 0%) the Tax Form has an expiration date. The expiration date is 3 years from the submission date (tax office stamp date).\n\nThere is no Tax Form expiration date, if your country is not eligible for tax exemption (tax rate \u003e 0%).\n\n## Instructions for Filling out the Tax Form\n\nPlease follow these instructions to ensure smooth withholding tax processing and bounty payout.\n\n * Print out the Tax Form, fill out the required information, and sign the document. Make sure to use a pen that uses blue or black ink. \n * Your full name, home address, date of birth and phone number (with country code) should match the information you provided us for Anti-Social Forces screening.\n * Mail the tax form to LINE Corporation’s office via post. The address is below: \n\n\u003e Attn: Person in charge of LINE Security Bug Bounty Program \n\u003e Security Center, LINE Corporation \n\u003e 21st floor JR Shinjuku Miraina Tower, 4-1-6 Shinjuku, Shinjuku Ward, \n\u003e Tokyo 160-0021 \n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LINE Corporation and our users safe \n\n----\n\n## LINE’s Hall of Fame\nHaving run LINE’s very own Bug Bounty Program previously, we have recognised several talented hackers who contributed to our business and customers’ safety.\n\nFor a list of bugs reviewed by the LINE team and nominated for the Hall of Fame, please visit https://bugbounty.linecorp.com/en/halloffame/.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-01-17T06:45:35.915Z"},{"id":3627690,"new_policy":"# LINE Bug Bounty rules at a glance\nThe LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information and tax form. Afterwards, the process speeds up significantly. See **Eligibility Requirements** section for details\n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\n----\n\n#Response Targets \nLINE Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information and tax form). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* Notwithstanding the other stipulations of this Article, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LINE's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* Please note that any bounty payments that may apply can only be issued to an adult \n* Not be an employee of the Company or an affiliated company \n* Not be an entity or part of an entity that had carried out or is carrying out a project that is being advanced with the Company \n* Be able to communicate in Japanese or English \n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Home Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. Following this, only hand-written completion of the Tax form will qualify you for the maximum bounty reward (after taxes)\n\n----\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, Timeline photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure of API keys with no security impact (Google Maps API keys etc.)\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n\n----\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be an employee of the Company or an affiliated company\n* Not be an entity or part of an entity that had carried out or is carrying out a project that is being advanced with the Company\n\nIn order to prevent transactions with anti-social forces  (反社会的勢力), as required by Japanese government [guidelines](http://www.moj.go.jp/content/000061957.pdf), LINE Corporation is required to perform Hacker screening before issuing bounty payments. In addition, all bounty payments are subject to tax withholding at the source. If you are not a Japanese resident, you can apply for tax reduction or exemption as described in the *Withholding Tax* section below.\n\nHackers need to provide additional information for anti-social forces screening and tax processing only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/#article_11).\n\nIn order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below: \n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, HOME ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n2. **(RECOMMENDED) Income tax convention form submission:** Fill out and submit the APPLICATION FORM FOR INCOME TAX CONVENTION (JP: 租税条約に関する届出書; hereafter referred to as 'Tax Form') next, to ensure maximum bounty payout (refer to the entire *Withholding Tax* section for details).\n\nLINE will reach out to you and confirm the bounty payout, once the payment is ready to be issued. \n\n----\n# Withholding Tax\n\nLINE Corporation will pay out your bounty, after withholding the tax rate applicable for your country of residence.\n\nFor example, if you are a resident of Singapore and are awarded a $1,000 bounty, your tax rate is 10%, and the final bounty payout will be $900 after taxes. For a full list of countries and their respective tax rates, please refer to *Applicable Tax Rates* section below. \n\n## Applicable Tax Rates\n\nIf you are a Japanese resident, a tax rate of **10.21%** will be withheld. You will not need to submit the Tax form.\n\nIf you are not a Japanese resident and do not fill out the Tax Form, a fixed rate of **20.42%** will be withheld from the awarded bounty.\n\nIf you fill out and submit the Tax Form (and any additional documents, if required), the effective tax rate depends on your country of residence. A list of countries and their applicable tax rates is given below for your reference. Note that tax rates are subject to change and that this list is not authoritative.\n\nList of countries and applicable tax rates: {F518203}\n\n## Withholding Tax Exemption or Reduction\n\nNote that these procedures are independent from HackerOne's Tax Form (W9).\n\nIf you are a Japanese resident, you are not eligible for tax reduction or exemption. \n\nIf you are not a Japanese resident, you may be eligible for tax exemption or reduction, if your country of residence has a tax agreement with Japan. See [Japan's Tax Convention Network](https://www.mof.go.jp/english/tax_policy/tax_conventions/international_182.htm) for details.\n\nTo apply for tax exemption or reduction, please submit the provided Tax Form. Any tax reduction or exemption you are eligible for will be applied after the form is processed by Japanese tax authorities. \n\nIf you are a resident of any of the countries listed below, proof of residency is also required.\n* Australia\n* Austria\n* Czech Republic\n* Denmark\n* France\n* Germany\n* Hungary\n* Poland\n* Slovakia\n* Sri Lanka\n* Sweden\n* Switzerland\n* Turkey\n* United Kingdom\n* United States ([Form 6166](https://www.irs.gov/individuals/international-taxpayers/form-6166-certification-of-us-tax-residency))\n\n----\n## Tax Form\n\nYou can download the Tax From and reference samples below. Note the format is different if you are a resident of Taiwan (ROC).\n\n* Tax Form (all countries): {F515592}\n * sample: {F515593}\n* Tax Form (Taiwan): {F517691}\n * sample: {F517692}\n\n**NOTE:**\nFor countries eligible for tax exemption (tax rate 0%) the Tax Form has an expiration date. The expiration date is 3 years from the submission date (tax office stamp date).\n\nThere is no Tax Form expiration date, if your country is not eligible for tax exemption (tax rate \u003e 0%).\n\n## Instructions for Filling out the Tax Form\n\nPlease follow these instructions to ensure smooth withholding tax processing and bounty payout.\n\n * Print out the Tax Form, fill out the required information, and sign the document. Make sure to use a pen that uses blue or black ink. \n * Your full name, home address, date of birth and phone number (with country code) should match the information you provided us for Anti-Social Forces screening.\n * Mail the tax form to LINE Corporation’s office via post. The address is below: \n\n\u003e Attn: Person in charge of LINE Security Bug Bounty Program \n\u003e Security Center, LINE Corporation \n\u003e 21st floor JR Shinjuku Miraina Tower, 4-1-6 Shinjuku, Shinjuku Ward, \n\u003e Tokyo 160-0021 \n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LINE Corporation and our users safe \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-01-08T07:17:41.807Z"},{"id":3626864,"new_policy":"# _Update - 23 December 2019:_\n\nHappy Holidays hackers! Thank you for being a part of LINE's journey and all your contributions thus far. During this period of time, you may expect a slower response from the program as some of us will be taking time off to spend time with our loved ones. Thank you for your understanding and we assure you that your reports will be handled to the best of our ability.\n \n Wishing you a very Happy 2020 ahead!\n\n\n# LINE Bug Bounty rules at a glance\nThe LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information and tax form. Afterwards, the process speeds up significantly. See **Eligibility Requirements** section for details\n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\n----\n\n#Response Targets \nLINE Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information and tax form). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* Notwithstanding the other stipulations of this Article, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LINE's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* Please note that any bounty payments that may apply can only be issued to an adult \n* Not be an employee of the Company or an affiliated company \n* Not be an entity or part of an entity that had carried out or is carrying out a project that is being advanced with the Company \n* Be able to communicate in Japanese or English \n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. Following this, only hand-written completion of the Tax form will qualify you for the maximum bounty reward (after taxes)\n\n----\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, Timeline photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure of API keys with no security impact (Google Maps API keys etc.)\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n\n----\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be an employee of the Company or an affiliated company\n* Not be an entity or part of an entity that had carried out or is carrying out a project that is being advanced with the Company\n\nIn order to prevent transactions with anti-social forces  (反社会的勢力), as required by Japanese government [guidelines](http://www.moj.go.jp/content/000061957.pdf), LINE Corporation is required to perform Hacker screening before issuing bounty payments. In addition, all bounty payments are subject to tax withholding at the source. If you are not a Japanese resident, you can apply for tax reduction or exemption as described in the *Withholding Tax* section below.\n\nHackers need to provide additional information for anti-social forces screening and tax processing only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/#article_11).\n\nIn order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below: \n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n2. **(RECOMMENDED) Income tax convention form submission:** Fill out and submit the APPLICATION FORM FOR INCOME TAX CONVENTION (JP: 租税条約に関する届出書; hereafter referred to as 'Tax Form') next, to ensure maximum bounty payout (refer to the entire *Withholding Tax* section for details).\n\nLINE will reach out to you and confirm the bounty payout, once the payment is ready to be issued. \n\n----\n# Withholding Tax\n\nLINE Corporation will pay out your bounty, after withholding the tax rate applicable for your country of residence.\n\nFor example, if you are a resident of Singapore and are awarded a $1,000 bounty, your tax rate is 10%, and the final bounty payout will be $900 after taxes. For a full list of countries and their respective tax rates, please refer to *Applicable Tax Rates* section below. \n\n## Applicable Tax Rates\n\nIf you are a Japanese resident, a tax rate of **10.21%** will be withheld. You will not need to submit the Tax form.\n\nIf you are not a Japanese resident and do not fill out the Tax Form, a fixed rate of **20.42%** will be withheld from the awarded bounty.\n\nIf you fill out and submit the Tax Form (and any additional documents, if required), the effective tax rate depends on your country of residence. A list of countries and their applicable tax rates is given below for your reference. Note that tax rates are subject to change and that this list is not authoritative.\n\nList of countries and applicable tax rates: {F518203}\n\n## Withholding Tax Exemption or Reduction\n\nNote that these procedures are independent from HackerOne's Tax Form (W9).\n\nIf you are a Japanese resident, you are not eligible for tax reduction or exemption. \n\nIf you are not a Japanese resident, you may be eligible for tax exemption or reduction, if your country of residence has a tax agreement with Japan. See [Japan's Tax Convention Network](https://www.mof.go.jp/english/tax_policy/tax_conventions/international_182.htm) for details.\n\nTo apply for tax exemption or reduction, please submit the provided Tax Form. Any tax reduction or exemption you are eligible for will be applied after the form is processed by Japanese tax authorities. \n\nIf you are a resident of any of the countries listed below, proof of residency is also required.\n* Australia\n* Austria\n* Czech Republic\n* Denmark\n* France\n* Germany\n* Hungary\n* Poland\n* Slovakia\n* Sri Lanka\n* Sweden\n* Switzerland\n* Turkey\n* United Kingdom\n* United States ([Form 6166](https://www.irs.gov/individuals/international-taxpayers/form-6166-certification-of-us-tax-residency))\n\n----\n## Tax Form\n\nYou can download the Tax From and reference samples below. Note the format is different if you are a resident of Taiwan (ROC).\n\n* Tax Form (all countries): {F515592}\n * sample: {F515593}\n* Tax Form (Taiwan): {F517691}\n * sample: {F517692}\n\n**NOTE:**\nFor countries eligible for tax exemption (tax rate 0%) the Tax Form has an expiration date. The expiration date is 3 years from the submission date (tax office stamp date).\n\nThere is no Tax Form expiration date, if your country is not eligible for tax exemption (tax rate \u003e 0%).\n\n## Instructions for Filling out the Tax Form\n\nPlease follow these instructions to ensure smooth withholding tax processing and bounty payout.\n\n * Print out the Tax Form, fill out the required information, and sign the document. Make sure to use a pen that uses blue or black ink. \n * Your full name, address, date of birth and phone number (with country code) should match the information you provided us for Anti-Social Forces screening.\n * Mail the tax form to LINE Corporation’s office via post. The address is below: \n\n\u003e Attn: Person in charge of LINE Security Bug Bounty Program \n\u003e Security Center, LINE Corporation \n\u003e 21st floor JR Shinjuku Miraina Tower, 4-1-6 Shinjuku, Shinjuku Ward, \n\u003e Tokyo 160-0021 \n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LINE Corporation and our users safe \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-12-25T07:46:54.499Z"},{"id":3626775,"new_policy":"# _Update - 23 December 2019:_\n\nHappy Holidays hackers! Thank you for being a part of LINE's journey and all your contributions thus far. During this period of time, you may expect a slower response from the program as some of us will be taking time off to spend time with our loved ones. Thank you for your understanding and we assure you that your reports will be handled to the best of our ability.\n \n Wishing you a very Happy 2020 ahead!\n\n\n# LINE Bug Bounty rules at a glance\nThe LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete upon receipt of your information and tax form. Afterwards, the process speeds up significantly. See **Eligibility Requirements** section for details\n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\n----\n\n#Response Targets \nLINE Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued (upon receipt of your information and tax form). Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* Notwithstanding the other stipulations of this Article, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LINE's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* Please note that any bounty payments that may apply can only be issued to an adult \n* Not be an employee of the Company or an affiliated company \n* Not be an entity or part of an entity that had carried out or is carrying out a project that is being advanced with the Company \n* Be able to communicate in Japanese or English \n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. Following this, only hand-written completion of the Tax form will qualify you for the maximum bounty reward (after taxes)\n\n----\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to a denial-of-service attack\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, Timeline photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure of API keys with no security impact (Google Maps API keys etc.)\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n\n----\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be an employee of the Company or an affiliated company\n* Not be an entity or part of an entity that had carried out or is carrying out a project that is being advanced with the Company\n\nIn order to prevent transactions with anti-social forces  (反社会的勢力), as required by Japanese government [guidelines](http://www.moj.go.jp/content/000061957.pdf), LINE Corporation is required to perform Hacker screening before issuing bounty payments. In addition, all bounty payments are subject to tax withholding at the source. If you are not a Japanese resident, you can apply for tax reduction or exemption as described in the *Withholding Tax* section below.\n\nHackers need to provide additional information for anti-social forces screening and tax processing only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/#article_11).\n\nIn order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below: \n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n2. **(RECOMMENDED) Income tax convention form submission:** Fill out and submit the APPLICATION FORM FOR INCOME TAX CONVENTION (JP: 租税条約に関する届出書; hereafter referred to as 'Tax Form') next, to ensure maximum bounty payout (refer to the entire *Withholding Tax* section for details).\n\nLINE will reach out to you and confirm the bounty payout, once the payment is ready to be issued. \n\n----\n# Withholding Tax\n\nLINE Corporation will pay out your bounty, after withholding the tax rate applicable for your country of residence.\n\nFor example, if you are a resident of Singapore and are awarded a $1,000 bounty, your tax rate is 10%, and the final bounty payout will be $900 after taxes. For a full list of countries and their respective tax rates, please refer to *Applicable Tax Rates* section below. \n\n## Applicable Tax Rates\n\nIf you are a Japanese resident, a tax rate of **10.21%** will be withheld. You will not need to submit the Tax form.\n\nIf you are not a Japanese resident and do not fill out the Tax Form, a fixed rate of **20.42%** will be withheld from the awarded bounty.\n\nIf you fill out and submit the Tax Form (and any additional documents, if required), the effective tax rate depends on your country of residence. A list of countries and their applicable tax rates is given below for your reference. Note that tax rates are subject to change and that this list is not authoritative.\n\nList of countries and applicable tax rates: {F518203}\n\n## Withholding Tax Exemption or Reduction\n\nNote that these procedures are independent from HackerOne's Tax Form (W9).\n\nIf you are a Japanese resident, you are not eligible for tax reduction or exemption. \n\nIf you are not a Japanese resident, you may be eligible for tax exemption or reduction, if your country of residence has a tax agreement with Japan. See [Japan's Tax Convention Network](https://www.mof.go.jp/english/tax_policy/tax_conventions/international_182.htm) for details.\n\nTo apply for tax exemption or reduction, please submit the provided Tax Form. Any tax reduction or exemption you are eligible for will be applied after the form is processed by Japanese tax authorities. \n\nIf you are a resident of any of the countries listed below, proof of residency is also required.\n* Australia\n* Austria\n* Czech Republic\n* Denmark\n* France\n* Germany\n* Hungary\n* Poland\n* Slovakia\n* Sri Lanka\n* Sweden\n* Switzerland\n* Turkey\n* United Kingdom\n* United States ([Form 6166](https://www.irs.gov/individuals/international-taxpayers/form-6166-certification-of-us-tax-residency))\n\n----\n## Tax Form\n\nYou can download the Tax From and reference samples below. Note the format is different if you are a resident of Taiwan (ROC).\n\n* Tax Form (all countries): {F515592}\n * sample: {F515593}\n* Tax Form (Taiwan): {F517691}\n * sample: {F517692}\n\n**NOTE:**\nFor countries eligible for tax exemption (tax rate 0%) the Tax Form has an expiration date. The expiration date is 3 years from the submission date (tax office stamp date).\n\nThere is no Tax Form expiration date, if your country is not eligible for tax exemption (tax rate \u003e 0%).\n\n## Instructions for Filling out the Tax Form\n\nPlease follow these instructions to ensure smooth withholding tax processing and bounty payout.\n\n * Print out the Tax Form, fill out the required information, and sign the document. Make sure to use a pen that uses blue or black ink. \n * Your full name, address, date of birth and phone number (with country code) should match the information you provided us for Anti-Social Forces screening.\n * Mail the tax form to LINE Corporation’s office via post. The address is below: \n\n\u003e Attn: Person in charge of LINE Security Bug Bounty Program \n\u003e Security Center, LINE Corporation \n\u003e 21st floor JR Shinjuku Miraina Tower, 4-1-6 Shinjuku, Shinjuku Ward, \n\u003e Tokyo 160-0021 \n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LINE Corporation and our users safe \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-12-23T07:48:46.352Z"},{"id":3626198,"new_policy":"# LINE Bug Bounty rules at a glance\nThe LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete. Afterwards, the process speeds up significantly. See **Eligibility Requirements** section for details\n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\n----\n\n#Response Targets \nLINE Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued. Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* Notwithstanding the other stipulations of this Article, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LINE's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* Please note that any bounty payments that may apply can only be issued to an adult \n* Not be an employee of the Company or an affiliated company \n* Not be an entity or part of an entity that had carried out or is carrying out a project that is being advanced with the Company \n* Be able to communicate in Japanese or English \n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. Following this, only hand-written completion of the Tax form will qualify you for the maximum bounty reward (after taxes)\n\n----\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to a denial-of-service attack\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Request flooding DoS and/or any Server Side DoS attack that may lead to disruption of our service(s)\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, Timeline photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure of API keys with no security impact (Google Maps API keys etc.)\n* Subdomain takeover reports with CNAME records regarding the livedoor.jp domain **without proof of concept**\n\n----\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be an employee of the Company or an affiliated company\n* Not be an entity or part of an entity that had carried out or is carrying out a project that is being advanced with the Company\n\nIn order to prevent transactions with anti-social forces  (反社会的勢力), as required by Japanese government [guidelines](http://www.moj.go.jp/content/000061957.pdf), LINE Corporation is required to perform Hacker screening before issuing bounty payments. In addition, all bounty payments are subject to tax withholding at the source. If you are not a Japanese resident, you can apply for tax reduction or exemption as described in the *Withholding Tax* section below.\n\nHackers need to provide additional information for anti-social forces screening and tax processing only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/#article_11).\n\nIn order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below: \n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n2. **(RECOMMENDED) Income tax convention form submission:** Fill out and submit the APPLICATION FORM FOR INCOME TAX CONVENTION (JP: 租税条約に関する届出書; hereafter referred to as 'Tax Form') next, to ensure maximum bounty payout (refer to the entire *Withholding Tax* section for details).\n\nLINE will reach out to you and confirm the bounty payout, once the payment is ready to be issued. \n\n----\n# Withholding Tax\n\nLINE Corporation will pay out your bounty, after withholding the tax rate applicable for your country of residence.\n\nFor example, if you are a resident of Singapore and are awarded a $1,000 bounty, your tax rate is 10%, and the final bounty payout will be $900 after taxes. For a full list of countries and their respective tax rates, please refer to *Applicable Tax Rates* section below. \n\n## Applicable Tax Rates\n\nIf you are a Japanese resident, a tax rate of **10.21%** will be withheld. You will not need to submit the Tax form.\n\nIf you are not a Japanese resident and do not fill out the Tax Form, a fixed rate of **20.42%** will be withheld from the awarded bounty.\n\nIf you fill out and submit the Tax Form (and any additional documents, if required), the effective tax rate depends on your country of residence. A list of countries and their applicable tax rates is given below for your reference. Note that tax rates are subject to change and that this list is not authoritative.\n\nList of countries and applicable tax rates: {F518203}\n\n## Withholding Tax Exemption or Reduction\n\nNote that these procedures are independent from HackerOne's Tax Form (W9).\n\nIf you are a Japanese resident, you are not eligible for tax reduction or exemption. \n\nIf you are not a Japanese resident, you may be eligible for tax exemption or reduction, if your country of residence has a tax agreement with Japan. See [Japan's Tax Convention Network](https://www.mof.go.jp/english/tax_policy/tax_conventions/international_182.htm) for details.\n\nTo apply for tax exemption or reduction, please submit the provided Tax Form. Any tax reduction or exemption you are eligible for will be applied after the form is processed by Japanese tax authorities. \n\nIf you are a resident of any of the countries listed below, proof of residency is also required.\n* Australia\n* Austria\n* Czech Republic\n* Denmark\n* France\n* Germany\n* Hungary\n* Poland\n* Slovakia\n* Sri Lanka\n* Sweden\n* Switzerland\n* Turkey\n* United Kingdom\n* United States ([Form 6166](https://www.irs.gov/individuals/international-taxpayers/form-6166-certification-of-us-tax-residency))\n\n----\n## Tax Form\n\nYou can download the Tax From and reference samples below. Note the format is different if you are a resident of Taiwan (ROC).\n\n* Tax Form (all countries): {F515592}\n * sample: {F515593}\n* Tax Form (Taiwan): {F517691}\n * sample: {F517692}\n\n**NOTE:**\nFor countries eligible for tax exemption (tax rate 0%) the Tax Form has an expiration date. The expiration date is 3 years from the submission date (tax office stamp date).\n\nThere is no Tax Form expiration date, if your country is not eligible for tax exemption (tax rate \u003e 0%).\n\n## Instructions for Filling out the Tax Form\n\nPlease follow these instructions to ensure smooth withholding tax processing and bounty payout.\n\n * Print out the Tax Form, fill out the required information, and sign the document. Make sure to use a pen that uses blue or black ink. \n * Your full name, address, date of birth and phone number (with country code) should match the information you provided us for Anti-Social Forces screening.\n * Mail the tax form to LINE Corporation’s office via post. The address is below: \n\n\u003e Attn: Person in charge of LINE Security Bug Bounty Program \n\u003e Security Center, LINE Corporation \n\u003e 21st floor JR Shinjuku Miraina Tower, 4-1-6 Shinjuku, Shinjuku Ward, \n\u003e Tokyo 160-0021 \n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LINE Corporation and our users safe \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-12-16T05:41:01.536Z"},{"id":3623735,"new_policy":"# LINE Bug Bounty rules at a glance\nThe LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete. Afterwards, the process speeds up significantly. See **Eligibility Requirements** section for details\n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\n----\n\n#Response Targets \nLINE Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued. Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* Notwithstanding the other stipulations of this Article, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LINE's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* Please note that any bounty payments that may apply can only be issued to an adult \n* Not be an employee of the Company or an affiliated company \n* Not be an entity or part of an entity that had carried out or is carrying out a project that is being advanced with the Company \n* Be able to communicate in Japanese or English \n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. Following this, only hand-written completion of the Tax form will qualify you for the maximum bounty reward (after taxes)\n\n----\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to a denial-of-service attack\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Any activity that could lead to the disruption of our service (DoS).\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, Timeline photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\n* Exposure of API keys with no security impact (Google Maps API keys etc.)\n\n----\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be an employee of the Company or an affiliated company\n* Not be an entity or part of an entity that had carried out or is carrying out a project that is being advanced with the Company\n\nIn order to prevent transactions with anti-social forces  (反社会的勢力), as required by Japanese government [guidelines](http://www.moj.go.jp/content/000061957.pdf), LINE Corporation is required to perform Hacker screening before issuing bounty payments. In addition, all bounty payments are subject to tax withholding at the source. If you are not a Japanese resident, you can apply for tax reduction or exemption as described in the *Withholding Tax* section below.\n\nHackers need to provide additional information for anti-social forces screening and tax processing only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/#article_11).\n\nIn order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below: \n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n2. **(RECOMMENDED) Income tax convention form submission:** Fill out and submit the APPLICATION FORM FOR INCOME TAX CONVENTION (JP: 租税条約に関する届出書; hereafter referred to as 'Tax Form') next, to ensure maximum bounty payout (refer to the entire *Withholding Tax* section for details).\n\nLINE will reach out to you and confirm the bounty payout, once the payment is ready to be issued. \n\n----\n# Withholding Tax\n\nLINE Corporation will pay out your bounty, after withholding the tax rate applicable for your country of residence.\n\nFor example, if you are a resident of Singapore and are awarded a $1,000 bounty, your tax rate is 10%, and the final bounty payout will be $900 after taxes. For a full list of countries and their respective tax rates, please refer to *Applicable Tax Rates* section below. \n\n## Applicable Tax Rates\n\nIf you are a Japanese resident, a tax rate of **10.21%** will be withheld. You will not need to submit the Tax form.\n\nIf you are not a Japanese resident and do not fill out the Tax Form, a fixed rate of **20.42%** will be withheld from the awarded bounty.\n\nIf you fill out and submit the Tax Form (and any additional documents, if required), the effective tax rate depends on your country of residence. A list of countries and their applicable tax rates is given below for your reference. Note that tax rates are subject to change and that this list is not authoritative.\n\nList of countries and applicable tax rates: {F518203}\n\n## Withholding Tax Exemption or Reduction\n\nNote that these procedures are independent from HackerOne's Tax Form (W9).\n\nIf you are a Japanese resident, you are not eligible for tax reduction or exemption. \n\nIf you are not a Japanese resident, you may be eligible for tax exemption or reduction, if your country of residence has a tax agreement with Japan. See [Japan's Tax Convention Network](https://www.mof.go.jp/english/tax_policy/tax_conventions/international_182.htm) for details.\n\nTo apply for tax exemption or reduction, please submit the provided Tax Form. Any tax reduction or exemption you are eligible for will be applied after the form is processed by Japanese tax authorities. \n\nIf you are a resident of any of the countries listed below, proof of residency is also required.\n* Australia\n* Austria\n* Czech Republic\n* Denmark\n* France\n* Germany\n* Hungary\n* Poland\n* Slovakia\n* Sri Lanka\n* Sweden\n* Switzerland\n* Turkey\n* United Kingdom\n* United States ([Form 6166](https://www.irs.gov/individuals/international-taxpayers/form-6166-certification-of-us-tax-residency))\n\n----\n## Tax Form\n\nYou can download the Tax From and reference samples below. Note the format is different if you are a resident of Taiwan (ROC).\n\n* Tax Form (all countries): {F515592}\n * sample: {F515593}\n* Tax Form (Taiwan): {F517691}\n * sample: {F517692}\n\n**NOTE:**\nFor countries eligible for tax exemption (tax rate 0%) the Tax Form has an expiration date. The expiration date is 3 years from the submission date (tax office stamp date).\n\nThere is no Tax Form expiration date, if your country is not eligible for tax exemption (tax rate \u003e 0%).\n\n## Instructions for Filling out the Tax Form\n\nPlease follow these instructions to ensure smooth withholding tax processing and bounty payout.\n\n * Print out the Tax Form, fill out the required information, and sign the document. Make sure to use a pen that uses blue or black ink. \n * Your full name, address, date of birth and phone number (with country code) should match the information you provided us for Anti-Social Forces screening.\n * Mail the tax form to LINE Corporation’s office via post. The address is below: \n\n\u003e Attn: Person in charge of LINE Security Bug Bounty Program \n\u003e Security Center, LINE Corporation \n\u003e 21st floor JR Shinjuku Miraina Tower, 4-1-6 Shinjuku, Shinjuku Ward, \n\u003e Tokyo 160-0021 \n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LINE Corporation and our users safe \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-11-15T07:11:21.838Z"},{"id":3623728,"new_policy":"# LINE Bug Bounty rules at a glance\nThe LINE Bug Bounty Program presents to you a summary of what you should keep in mind after reading the policy: \n* The main LINE app is currently our main focus for this program. For some assets, it is required to show an effect on the application, in order for it to be considered in scope. See **Scope** for more details\n* Do not use automated scanning tools. Your IP may get restricted and you may be disqualified. See **Program Rules** for more details\n* Act in good faith\n* Do not adversely affect our users\n* The first bounty payout may take up to two months to complete. Afterwards, the process speeds up significantly. See **Eligibility Requirements** section for details\n\nThe purpose of the program is to allow Hackers to discover and report potential vulnerabilities in the LINE messenger app and LINE's Web services. We will do our best to address all reports appropriately in order to provide LINE users with a more secure service. \n\nTo compensate Hacker’s efforts, LINE offers bounty rewards. Please make sure you review the following program rules and terms of use before you report a vulnerability. By participating in this program, you agree to be bound by these rules. \n\n----\n\n#Response Targets \nLINE Corporation will make a best effort to meet the following response targets for hackers participating in our program: \n* Time to triage (from report submit) - 5 business days \n* Time to bounty decision (from report submit) - 15 business days\n* Time to issue resolved (from report submit) - 31 business days\n\n\\*Do note that due to regulations out of LINE Corp's control, it may take up to 2 months for the first bounty payout to be issued. Please see the *Eligibility Requirements* section for details.\n\nWe will do our best to keep you informed about our progress throughout the process. \n\n----\n# Disclosure Policy \n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from LINE Corporation (hereafter referred to as 'the Company'). \n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). \n* Participants shall treat vulnerability information as confidential information, and even after the conclusion of the Program, cannot disclose, leak, or make public said vulnerability information to a third party until the Company finishes fixing the vulnerability and makes such information publicly available. In the event that there is information which the Company determines as being confidential (such as details on how to attack) including cases in which Users may be subject to damage due to related vulnerabilities (vulnerabilities related to those reported by Participants or similar vulnerabilities that the Company has not yet fixed), Participants cannot disclose, leak, or make public said confidential information.\n* The statement in the preceding clause does not apply if one year has passed since the vulnerability report was received by the Company.\n* Notwithstanding the other stipulations of this Article, when there is a vulnerability caused by an External Product that also has impact reaching beyond this App, or any other circumstances that require prioritization of public interest, Participants shall be able to provide, disclose or announce vulnerability information to External Product providers or other stakeholders, regardless of whether or not the Company has corrected said vulnerability. In such cases, the Participant should take reasonable measures to not harm the interests of the Company or users of the App, including not disclosing the name of the Company or the App.\n\n----\n# Program Rules \nPlease ensure you adhere to the following rules when participating in our program and also to ensure that your submission will be eligible for a bounty\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. \n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. \n* Social engineering (e.g. phishing, vishing, smishing) is prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n* Do not use automated vulnerability scanners to launch attacks against LINE's systems\n* Do not use a discovered vulnerability to view, delete, alter, or publish user data\n* Please note that any bounty payments that may apply can only be issued to an adult \n* Not be an employee of the Company or an affiliated company \n* Not be an entity or part of an entity that had carried out or is carrying out a project that is being advanced with the Company \n* Be able to communicate in Japanese or English \n* Not reside in a country subject to Japanese or US economic sanctions, nor be deemed to be an affiliate of a sanctioned company or sanctioned individual at the time of reward payment for the Program \n* In order to qualify for receiving a bounty, Hacker’s must consent to providing their Full Name, Address, Date of Birth and Phone Number to be checked against the Japanese Anti-Social DB check. Following this, only hand-written completion of the Tax form will qualify you for the maximum bounty reward (after taxes)\n\n----\n# Test Accounts \nWe do not provide test accounts. \nPlease use your own account(s) for validating potential vulnerabilities, and take care not to affect other LINE users.\nDo not test on accounts you do not own. Failure to comply may disqualify you from receiving a bounty.\n\n----\n# Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. Please do note that for cases with significant impact on our services, even out-of-scope vulnerabilities can be eligible for rewards. As such, if you find a significant issue, even if it is in the out-of-scope list, please do not hesitate to report it. The following issues are normally considered out of scope: \n\n* Vulnerability as-is after detection using an automated scanner\n* Hypothetical or theoretical vulnerabilities without actual verification code\n* Susceptibility to a denial-of-service attack\n* Susceptibility to brute force attacks aimed at retrieving passwords or tokens\n* Any activity that could lead to the disruption of our service (DoS).\n* Ability to spam LINE users arbitrarily with spam messages\n* Ability to change a password without confirmation of the previous password on LINE app\n* Session fixation\n* Absence of Cross-Site Request Forgery (“CSRF”) token in non-critical processes\n* Login/logout CSRF\n* Attack requiring physical access to a user's device or using a rooted device\n* Missing security header(s)\n* Script executions that do not affect Users\n* Vulnerabilities attributable to out-of-date browsers or platforms\n* Content related to auto fill web forms\n* Absence of secure flag attribute for **non-critical cookies**\n* Unsafe SSL/TLS cipher suites or protocol version\n* Accessibility of profile photos, Timeline photos, etc. by anyone via URL\n* Vulnerability attributable to virtual phone number\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Reporting that an unauthorized HTTP method can be used\n* Reporting vulnerabilities related to clickjacking, Tabjacking, Tabnabbing, Text injection, Open redirect, DNS CAA record\n* Credit card or payment platform reimbursement features\n* Overwriting of files or databases on device, or falsely showing possession of an item by altering a file along the communication pathway.\n* Vulnerabilities only affecting  a single browser or a single version only\n* Username/e-mail enumeration only\t\n\n----\n# Eligibility Requirements \n\n* Be at least 16 years of age.\n* Not be an employee of the Company or an affiliated company\n* Not be an entity or part of an entity that had carried out or is carrying out a project that is being advanced with the Company\n\nIn order to prevent transactions with anti-social forces  (反社会的勢力), as required by Japanese government [guidelines](http://www.moj.go.jp/content/000061957.pdf), LINE Corporation is required to perform Hacker screening before issuing bounty payments. In addition, all bounty payments are subject to tax withholding at the source. If you are not a Japanese resident, you can apply for tax reduction or exemption as described in the *Withholding Tax* section below.\n\nHackers need to provide additional information for anti-social forces screening and tax processing only once -- which is for the first awarded bounty. LINE Corporation will reuse the collected Hacker information for any additional bounties awarded thereafter. All information provided will be stored and processed according to the Program’s [Terms of Use](https://bugbounty.linecorp.com/en/terms_of_use/#article_11).\n\nIn order to be eligible to receive their bounty payment from LINE Corporation, Hackers must agree to the following process and complete the steps listed below: \n\n1. **(REQUIRED): Anti-social forces screening:** Upon confirmation that your report is valid and is eligible for a bounty, we will reach out to collect your FULL NAME*, ADDRESS, DATE OF BIRTH and PHONE NUMBER (with country code). This is to enable LINE Corporation to perform Anti-Social Forces screening and all information provided will be kept confidential.\n    * *If you have a Kanji name (Chinese), please include the English spelling of it as well in your Full Name\n2. **(RECOMMENDED) Income tax convention form submission:** Fill out and submit the APPLICATION FORM FOR INCOME TAX CONVENTION (JP: 租税条約に関する届出書; hereafter referred to as 'Tax Form') next, to ensure maximum bounty payout (refer to the entire *Withholding Tax* section for details).\n\nLINE will reach out to you and confirm the bounty payout, once the payment is ready to be issued. \n\n----\n# Withholding Tax\n\nLINE Corporation will pay out your bounty, after withholding the tax rate applicable for your country of residence.\n\nFor example, if you are a resident of Singapore and are awarded a $1,000 bounty, your tax rate is 10%, and the final bounty payout will be $900 after taxes. For a full list of countries and their respective tax rates, please refer to *Applicable Tax Rates* section below. \n\n## Applicable Tax Rates\n\nIf you are a Japanese resident, a tax rate of **10.21%** will be withheld. You will not need to submit the Tax form.\n\nIf you are not a Japanese resident and do not fill out the Tax Form, a fixed rate of **20.42%** will be withheld from the awarded bounty.\n\nIf you fill out and submit the Tax Form (and any additional documents, if required), the effective tax rate depends on your country of residence. A list of countries and their applicable tax rates is given below for your reference. Note that tax rates are subject to change and that this list is not authoritative.\n\nList of countries and applicable tax rates: {F518203}\n\n## Withholding Tax Exemption or Reduction\n\nNote that these procedures are independent from HackerOne's Tax Form (W9).\n\nIf you are a Japanese resident, you are not eligible for tax reduction or exemption. \n\nIf you are not a Japanese resident, you may be eligible for tax exemption or reduction, if your country of residence has a tax agreement with Japan. See [Japan's Tax Convention Network](https://www.mof.go.jp/english/tax_policy/tax_conventions/international_182.htm) for details.\n\nTo apply for tax exemption or reduction, please submit the provided Tax Form. Any tax reduction or exemption you are eligible for will be applied after the form is processed by Japanese tax authorities. \n\nIf you are a resident of any of the countries listed below, proof of residency is also required.\n* Australia\n* Austria\n* Czech Republic\n* Denmark\n* France\n* Germany\n* Hungary\n* Poland\n* Slovakia\n* Sri Lanka\n* Sweden\n* Switzerland\n* Turkey\n* United Kingdom\n* United States ([Form 6166](https://www.irs.gov/individuals/international-taxpayers/form-6166-certification-of-us-tax-residency))\n\n----\n## Tax Form\n\nYou can download the Tax From and reference samples below. Note the format is different if you are a resident of Taiwan (ROC).\n\n* Tax Form (all countries): {F515592}\n * sample: {F515593}\n* Tax Form (Taiwan): {F517691}\n * sample: {F517692}\n\n**NOTE:**\nFor countries eligible for tax exemption (tax rate 0%) the Tax Form has an expiration date. The expiration date is 3 years from the submission date (tax office stamp date).\n\nThere is no Tax Form expiration date, if your country is not eligible for tax exemption (tax rate \u003e 0%).\n\n## Instructions for Filling out the Tax Form\n\nPlease follow these instructions to ensure smooth withholding tax processing and bounty payout.\n\n * Print out the Tax Form, fill out the required information, and sign the document. Make sure to use a pen that uses blue or black ink. \n * Your full name, address, date of birth and phone number (with country code) should match the information you provided us for Anti-Social Forces screening.\n * Mail the tax form to LINE Corporation’s office via post. The address is below: \n\n\u003e Attn: Person in charge of LINE Security Bug Bounty Program \n\u003e Security Center, LINE Corporation \n\u003e 21st floor JR Shinjuku Miraina Tower, 4-1-6 Shinjuku, Shinjuku Ward, \n\u003e Tokyo 160-0021 \n\n----\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nOur complete Terms Of Use page can be found here:\nhttps://bugbounty.linecorp.com/en/terms_of_use/\n\nThank you for helping keep LINE Corporation and our users safe \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-11-15T05:00:10.199Z"}]