LINE Launches Public Bug Bounty Program: Q&A with Security Engineer Robin Lunde
LINE Corporation is one of the most popular messaging applications in Asia Pacific, serving millions of users in countries including Japan, Thailand, Indonesia, Taiwan, and India to name a few. The Japan-based company allows users to exchange texts, images, video, as well as conduct VoIP conversations and video conferences. In addition, the platform provides various services including digital wallet as Line Pay, news stream as Line Today, video on demand as Line TV, and digital comic distribution as Line Manga and Line Webtoon.
In June 2016, LINE launched its own public bug bounty program to boost its security. Since then they have thanked nearly 300 hackers and paid out more than $300,000 in bounties. After three successful years, LINE made the decision to fully migrate its self-managed program to the HackerOne platform to raise global awareness of its program and tap the world’s largest community of skilled hackers. Today, LINE is launching its first public bug bounty program on HackerOne.
To learn more about LINE’s program, the results the team has already seen since joining the platform, and the company’s commitment to security, we sat down with LINE security engineers Robin Lunde, Koh You Liang and Keitaro Yamazaki. Take a look at what we learned:
Q: Please introduce yourself. Tell us what you do at LINE and why cybersecurity is so important to your business.
A:Hello, My name is Robin Lunde and I am in charge of our bug bounty program. To help me with responding to the questions I have two members of my team with me: Koh You Liang and Keitaro Yamazaki. Cybersecurity is important to us for many different reasons. We want our users to feel confident in using our services, especially considering how there has been an increased focus on security in recent times. We want our users to know that we care about their privacy and protect it to the best of our ability. As a lot of our services are online, in order to operate smoothly we have to take security into consideration. We do our best to protect our users in all markets and across all services and to do so properly, we believe a mature approach to cybersecurity is absolutely required.
Q: LINE has run a bug bounty program independently for years. Why did LINE decide to start a bug bounty program in the first place? What have been some results of your program to date?
A: Our initial goal was to create a contact point for reporters. We want bugs to be shared with us rather than exploited in the wild or sold/shared, and we want to reward people for finding them. With every bug, our internal security improves as well, so it is a win-win situation for both the reporters and us. We also want to show our users that we take security incidents seriously and encourage reporting them to us so we could fix them quickly. Finally, we want our users to trust our services, and what better way to do that then to show them that we are actively improving our security stance? During our time running the bug bounty program we have received more than 1000 reports and we have paid over $300,000 in bounties. We have seen a steady growth in participation and reported vulnerabilities and we hope this trend continues.
Q: What has it been like working with hackers thus far? Anything surprising?
A: Working with hackers has been very refreshing and rewarding, albeit challenging at times. A lot of us participate in other bug bounty programs in our spare time, so we can easily relate to what the hackers think and feel. We often feel excited and impressed when we receive a report showing a unique technique or a new approach to exploiting an issue. We try to communicate with the hackers as our peers and explain our actions and reasoning as best we can. Unfortunately there are times where it is challenging to give the reporter the attention and explanation they deserve without running into issues like disclosing information that is not public or other, similar issues. In those times, we try our best to find a compromise in which both parties can be happy. It can be challenging for both our team and the reporters, but we are always working to be better and hope that the participants in our program understand this and help us gradually improve. The most surprising thing for us, is how many young, highly skilled bug bounty hunters are out there. They never cease to amaze us.
Q: Why switch to the HackerOne platform? Did the LINE security team evaluate other vendors?
A:There were a lot of different reasons for us choosing to switch to the HackerOne platform. The most important one was to increase our visibility and thereby increasing the amount of high quality reports we receive as well. We also want a broader audience and since HackerOne already has a large number of skilled hackers, we believe that moving will help us reach a larger number of hackers. While LINE is quite well known in Asia, it is not as well known outside of our core markets, and we hope switching to the HackerOne platform will increase visibility and participation from hackers all around the world. As being transparent about security issues is very important to us, we wanted a convenient way to disclose such information. Our original platform did not have an easy way of achieving this, so it was also a contributing factor in deciding to move to HackerOne.
Q: What are you most looking forward to on HackerOne?
A: There are two key things we look forward to. The first is receiving reports from hackers worldwide. We have had the pleasure of receiving reports from many different places while running our own bug bounty program, but hope to see even more activity and reports from different countries around the world. We want to reach hackers on a global scale and believe a global outreach helps give us new perspectives and improve our services. The second is being able to share some details and information regarding the reports we receive with the public. It is and always has been our goal to be transparent when it comes to incidents or issues – we want to be up front with our users regarding any issues we are facing. We are very excited to be able to share more information with everyone, regardless of if you are interested in the security implications of an issue or just a normal user wanting details regarding an issue that may have affected you.
Q: What LINE assets are available for hackers to test?
A: The assets that are currently in scope is the main LINE application(for iOS, Android, Chrome, MacOS and Windows). In addition to vulnerabilities in the application, these domains are also in scope:
Furthermore, these domains are also in scope, but limited to attack vectors that can impact the LINE application:
Let us clarify this by using an example: If an XSS is only exploitable outside of the LINE application, for the three above-mentioned domains, it is not considered in scope. The attack has to be successful in any of the web applications available inside of LINE and directly demonstrate significant impact to the end users - like stealing authentication cookies or tokens.
At this time, our financial services, partner services and services provided by subsidiary, independent companies are not in scope. We are hoping to include them in the future though, so that is something to look out for.
Q: How has the bug bounty program impacted LINE’s overall security posture and strategy?
A: The bug bounty program has helped us improve in many ways. It has allowed us to fix a wide variety of different issues and vulnerabilities in many of our services. It has also worked as an early warning system in case of critical issues in important services. It allowed early detection and incident response to issues that may otherwise have severely impacted our users. There is no doubt that it has allowed us to keep our users and their data more secure Our internal team does a good job of detecting security issues before release, but cannot catch everything. This is due to many different reasons, but the biggest one is likely the time limit we are under since we have to finish our check before the service release deadline. We consider bug bounty an additional layer to our security strategy, which allows for uncovering and detecting security issues that are unlikely to be discovered otherwise. For example, issues in more obscure services or issues that require a significant time investment. Bounty hunters can spend as much time as they want on a vulnerability. This allows for a more in-depth examination of the intricacies of the functionality and often allow reporters to find issues we cannot. We also learn a lot from the reports, so we improve as well, allowing us to avoid similar issues in the future.
Q: What findings is the team most interested in surfacing? What types of bugs are most valuable to LINE?
A: Since the main part of our services reside within the main LINE application, issues that affect user security and privacy are the most important to us, so anything that can put that at risk is very valuable to us. This means that our scope also include issues that may adversely affect daily users, like client side DoS. Because of the impact of such vulnerabilities, please only test on accounts you own or have received explicit permission to test on. This is a general rule for our program. Since we also have a lot of business partners, vulnerabilities that affect these partners are also taken very seriously and are highly valuable to us. An example of this is privilege escalations from user to admin for business accounts, as it would possibly allow someone with access to a business account to abuse it for their own gain, and therefore impact both LINEs and the respective business negatively. Finally, we also care a lot about any server side issues with significant impact. This is more standard and in general things we believe all programs likely care about but, RCE, SSRF, SQLi and Logic bugs are highly valued. In addition, any leaks or information disclosure containing Personal Identifiable Information is taken very seriously.
Q: Why should hackers participate in your program? What advice would you give them?
A:We believe we are on the higher end of the scale in regard to payouts and that we have a wide range of applications and technologies to target (Web, mobile, hybrid,IoT, financial, etc.). We also have a large scope and many assets, so there is no lack of places to go bug hunting. We try to judge each report based on the impact it could have. As an outside researcher it can be hard to know how exactly what impact a finding can have, since you cannot see the code nor do you have access to all the information about how the system works. We understand this and take it in to consideration when deciding our bounties as well as when we communicate with the participants of our program. We also make it a point to take the time to answer additional questions from each hacker, such as when they do not agree with our bounty decision. As general advice to our reporters we would like to encourage writing proper, easy to understand reports. It is taken into account when we are evaluating the bounty as it makes our work easier and allows us to respond quicker. A good report does not necessarily mean a long one though! A report should contain the following:
- Easy to understand and relevant title
- Quick summary of the issue
- Clearly stated location of issue: App + Version or Web page + Endpoint (Full URL is also OK)
- Clearly stated, simple to follow steps to reproduce the behavior
- Clearly stated impact of the issue
- Suggested way to resolve the issue
Q:What is different and unique about the LINE bug bounty program?
A: The feedback from many hackers is that our team and the way we handle reports is very positive. Many mention they are skeptical about our bounty payment timeline, but the feedback we have received is that in the end, the wait is definitely worth it. We have retained a high number of hackers over time, which we believe is a testament to the fact that we handle our program in a fashion that is valuable to both our company and to our participants. While this has not been confirmed, we also believe our willingness to listen to hacker feedback and change our procedures based on what they share with us, is a contributing factor to why many hackers stick with our program. We hope to continue this trend and want to encourage hackers that participate in our program to challenge us and give us feedback on how we are operating. Of course this is based on the feedback being reasonable and backed by constructive criticism and logical arguments, but our experience is that it is commonly the case. While we cannot promise that we can comply with every request, we at least hope that in the cases where we cannot comply, we can give the hackers insight as to why, and let them see the situation from our perspective. Our end goal is to cooperate with hackers as much as we can – we are after all relying on their cooperation in order to run a successful program.
Q: Anything else you’d like to add?
A: We would like to thank all the hackers that have participated in our program thus far. Your contributions are important to us. With that said, we also welcome new hackers and look forward to receiving both reports and new perspectives on our bug bounty program.
If you’re interested in learning more about LINE’s bug bounty program or want to submit a vulnerability report, visit https://hackerone.com/line.