Upgrade to Pro — share decks privately, control downloads, hide ads and more …

LINE Security Bug Bounty Program

LINE DevDay 2019
November 20, 2019
Technology
0
720

LINE Security Bug Bounty Program

Keitaro Yamazaki (tyage)
LINE Application Security Team Engineer
https://linedevday.linecorp.com/jp/2019/sessions/S1-18

LINE DevDay 2019

November 20, 2019
Tweet

More Decks by LINE DevDay 2019

See All by LINE DevDay 2019
What is the engineering organization that LINE DevRel is aiming for
line_devday2019
3
2.4k
The IoT technology inside LINE DEVELOPER DAY 2019
line_devday2019
6
1.1k
How to reduce Android app launch time by scoping your dependencies using Koin DI
line_devday2019
3
810
Efficient integrating data from multiple data providers
line_devday2019
0
460
Now supporting Dark Mode on LINE messenger
line_devday2019
0
1.8k
LIFF v2, the latest Webview SDK lets you leverage LINE
line_devday2019
0
1.7k
Modern Web Testing with Cypress.io
line_devday2019
0
630
Speed up iOS Development with LLDB Code Injection and Framework Live Preview
line_devday2019
1
390
Faster iOS Builds with Bazel
line_devday2019
0
1.5k

Other Decks in Technology

See All in Technology
プロダクト活用度で見えた真実 ホリゾンタルSaaSでの顧客解像度の高め方
tadaken3
0
260
【Pycon mini 東海 2024】Google Colaboratoryで試すVLM
kazuhitotakahashi
2
600
Platform Engineering for Software Developers and Architects
syntasso
1
570
『Firebase Dynamic Links終了に備える』 FlutterアプリでのAdjust導入とDeeplink最適化
techiro
0
230
Amplify Gen2 Deep Dive / バックエンドの型をいかにしてフロントエンドへ伝えるか #TSKaigi #TSKaigiKansai #AWSAmplifyJP
tacck
PRO
0
420
RubyのWebアプリケーションを50倍速くする方法 / How to Make a Ruby Web Application 50 Times Faster
hogelog
3
950
BLADE: An Attempt to Automate Penetration Testing Using Autonomous AI Agents
bbrbbq
0
340
安心してください、日本語使えますよ―Ubuntu日本語Remix提供休止に寄せて― 2024-11-17
nobutomurata
1
1k
DynamoDB でスロットリングが発生したとき/when_throttling_occurs_in_dynamodb_short
emiki
0
300
Taming you application's environments
salaboy
0
210
CDCL による厳密解法を採用した MILP ソルバー
imai448
3
300
VideoMamba: State Space Model for Efficient Video Understanding
chou500
0
250

Featured

See All Featured
Docker and Python
trallard
40
3.1k
Fireside Chat
paigeccino
34
3k
What's new in Ruby 2.0
geeforr
343
31k
Ruby is Unlike a Banana
tanoku
97
11k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
The World Runs on Bad Software
bkeepers
PRO
65
11k
How GitHub (no longer) Works
holman
310
140k
Gamification - CAS2011
davidbonilla
80
5k
Documentation Writing (for coders)
carmenintech
65
4.4k
4 Signs Your Business is Dying
shpigford
180
21k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k

Transcript

  1. 2019 DevDay LINE Security Bug Bounty > Keitaro Yamazaki (tyage)

    > LINE Application Security Team Engineer

  2. > Security Engineer > LINE Security Bug Bounty Program Staff

    > Security Center / Application Security Team Keitaro Yamazaki (@tyage)

  3. https://bugbounty.linecorp.com/

  4. 2020 More? 2018 $104,500 USD in Bounties 2016 Full-time Launch

    2019 Oct $100,000+ USD in Bounties 2017 $76,500 USD in Bounties 2015 Limited-time Launch History LINE Security Bug Bounty Program

  5. > Provide reward in exchange for bugs > Improve LINE

    services and company security > Launched in 2016 LINE Security Bug Bounty Program Goal of our Program

  6. Statistics in 2019 ( ~ 2019/10) LINE Security Bug Bounty

    Program Hackers 30+ Bounty $100,000+ Reports 250+

  7. Case Study

  8. Improper RegExp ticket.line.me Request token via postMessage ticket-mypage .line.me Return

    token if event origin is valid

  9. Checks if event source origin is ticket.line.me Improper RegExp

  10. Improper RegExp In regexp, dot means any character → ticketZline.me

    will pass Checks if event source origin is ticket.line.me

  11. Improper RegExp $1500 USD

  12. Rules and Guideline

  13. Rules and Guideline Bug Bounty Program Guide We provide guideline

    of our program https://github.com/line/bugbounty Purpose of Bug Bounty Program is to protect users Do not steal other users’ credentials ! ʢWe recommend to use your own account or your friends account after you got permission to find/valid a bugʣ

  14. Is It Bug Bounty? Bug Hunter LINE Employee Internal Servers

    Email contains malware

  15. Is It Bug Bounty? Bug Hunter LINE Employee Internal Servers

    Email contains malware This Is APT

  16. Recent Updates

  17. None

  18. Ƃ > Famous Bug Bounty Platform > For Hackers: •

    Easy to publish bugs • Get reputation point by reporting the bugs > For Staffs: • Support of hackerone staff • More transparency Moved to hackerone since 11/15 IUUQTIBDLFSPOFDPNMJOF
  19. None

  20. Statistics in 2019 ( ~ 2019/10) Received Reports via Hackerone

    Hackers 22+ Bounty $30,000+ Reports 80+

  21. Thank You for Watching