LINE Security Bug Bounty Program

LINE Security Bug Bounty Program

Keitaro Yamazaki (tyage)
LINE Application Security Team Engineer
https://linedevday.linecorp.com/jp/2019/sessions/S1-18

Be4518b119b8eb017625e0ead20f8fe7?s=128

LINE DevDay 2019

November 20, 2019
Tweet

Transcript

  1. 2019 DevDay LINE Security Bug Bounty > Keitaro Yamazaki (tyage)

    > LINE Application Security Team Engineer
  2. > Security Engineer > LINE Security Bug Bounty Program Staff

    > Security Center / Application Security Team Keitaro Yamazaki (@tyage)
  3. https://bugbounty.linecorp.com/

  4. 2020 More? 2018 $104,500 USD in Bounties 2016 Full-time Launch

    2019 Oct $100,000+ USD in Bounties 2017 $76,500 USD in Bounties 2015 Limited-time Launch History LINE Security Bug Bounty Program
  5. > Provide reward in exchange for bugs > Improve LINE

    services and company security > Launched in 2016 LINE Security Bug Bounty Program Goal of our Program
  6. Statistics in 2019 ( ~ 2019/10) LINE Security Bug Bounty

    Program Hackers 30+ Bounty $100,000+ Reports 250+
  7. Case Study

  8. Improper RegExp ticket.line.me Request token via postMessage ticket-mypage .line.me Return

    token if event origin is valid
  9. Checks if event source origin is ticket.line.me Improper RegExp

  10. Improper RegExp In regexp, dot means any character → ticketZline.me

    will pass Checks if event source origin is ticket.line.me
  11. Improper RegExp $1500 USD

  12. Rules and Guideline

  13. Rules and Guideline Bug Bounty Program Guide We provide guideline

    of our program https://github.com/line/bugbounty Purpose of Bug Bounty Program is to protect users Do not steal other users’ credentials ! ʢWe recommend to use your own account or your friends account after you got permission to find/valid a bugʣ
  14. Is It Bug Bounty? Bug Hunter LINE Employee Internal Servers

    Email contains malware
  15. Is It Bug Bounty? Bug Hunter LINE Employee Internal Servers

    Email contains malware This Is APT
  16. Recent Updates

  17. None
  18. Ƃ > Famous Bug Bounty Platform > For Hackers: •

    Easy to publish bugs • Get reputation point by reporting the bugs > For Staffs: • Support of hackerone staff • More transparency Moved to hackerone since 11/15 IUUQTIBDLFSPOFDPNMJOF
  19. None
  20. Statistics in 2019 ( ~ 2019/10) Received Reports via Hackerone

    Hackers 22+ Bounty $30,000+ Reports 80+
  21. Thank You for Watching