Asian market moving tentatively towards a more open approach to security, says Line Corporation’s Robin Lunde
Line Corporation, the Tokyo-based developer of the eponymous messaging app, has launched a public bug bounty program through HackerOne.
The company, whose 194 million users are heavily concentrated in Asian countries like Japan, Thailand, and Indonesia, has already received 1,000 reports and paid out $300,000 from a private program that was launched in June 2016.
Robin Lunde, a security engineer at Line, told The Daily Swig why it was time for a step change in the messaging giant’s security strategy.
Hi, Robin. Why did you decide to migrate your bug bounty program to HackerOne?
Robin Lunde: Our platform had some problems that were difficult and time-consuming to resolve.
This, combined with increasing participation and the number of high-quality reports, were the main reasons.
We believe that increasing engagement will allow us to further improve our services, so we found it natural to open our program to the public.
Starting as a private program and running it in parallel with our own public program for a transition period allowed us to get used to the HackerOne platform and prepare for the increased number of reports.
We would definitely recommend this approach to other companies.
Our impression is that starting private allows a gentle introduction to bug bounty programs and can quickly help companies realize the benefits, hopefully leading to more public programs.
Why did you launch a bug bounty program in the first place?
RL: We want bugs to be shared with us rather than exploited in the wild or sold/shared, and we want to reward people for finding them. With every bug, our internal security improves as well, so it’s a win-win situation for both the reporters and us.
We also want to show our users that we take security incidents seriously.
We have seen a steady growth in participation and reported vulnerabilities and we hope this trend continues.
Do you feel that Japanese organizations, and the wider Asia market, are becoming more open to the idea of bug bounties?
RL: We think Japan and the Asian market in general are becoming more open to this idea, but it’s a slow change.
Our impression is that global companies are leading the way and showing the benefits, leading more companies to start evaluating if this is something that can benefit them as well.
While it may still take some time before it becomes common, the Asian market is gradually moving towards a more open approach to security, where issues are not hidden, but shared and improved.
We hope to lead the way in Asia, showing there are many benefits and few drawbacks to running a public bug bounty program.
We hope to show that even big corporations can benefit and the value of using highly skilled hackers worldwide to provide the best possible security for users.
How has the bug bounty program impacted Line’s overall security posture and strategy?
RL: It has allowed us to fix a wide variety of vulnerabilities and worked as an early warning system for critical issues.
Our internal team cannot catch [every vulnerability before release, so] we consider bug bounty an additional [security] layer.
Bounty hunters can spend as much time as they want on a vulnerability and often find issues we cannot. We also learn a lot from the reports, so we improve as well.
What findings is the team most interested in surfacing?
RL: Issues that affect user security and privacy, like client-side DoS; that affect business partners, such as privilege escalations for business accounts; and high-impact server-side issues like RCE, SSRF, SQLi and logic bugs.
We believe we’re on the higher end of the payout scale with a wide range of applications and technologies to target [and] a large scope.
This article incorporates lightly edited extracts from this conversation with HackerOne.