Bug fixes on LINE's global career site
On January 3rd. 2019 a security bug (vulnerability) affecting LINE’s global career (career.linecorp.com) site was reported via our Bug Bounty program and was promptly fixed. This announcement details our response.
1. Overview of the vulnerability
After performing a particular action on career.linecorp.com, it was possible to download the resume files posted by other users. This vulnerability affects only the global career site and does not affect any other LINE services.
- * Affected site: career.linecorp.com
LINE Global career site (Independent from LINE Japan's recruiting site -- https://linecorp.com/ja/career and LINE Career – https://career.line.me )
- * Information that was downloaded
Files posted via the application form on career.linecorp.com before January 3rd. 2019 (resume files of job applicants, etc.)
2. Our response
We found the cause of the vulnerability on January 3rd. 2019 and issued a fix.
After investigating the impact of the vulnerability and checking our access log files, we found out that the security researcher has downloaded a number of files while verifying if vulnerability is reproducible.
We have asked the security researcher to destroy all obtained information, and received a written declaration that he will not disclose any of the information obtained.
We have not found any evidence that anyone besides the security researcher has obtained any files from our global career site. We have notified affected applicants by email.
3. Vulnerability timeline
- January 3rd, 2019 06:36 Vulnerability was reported via out Bug Bounty Program
- January 3rd, 2019 18:50 The vulnerability was fixed
- January 3rd, 2019 19:22 We communicated that vulnerability was fixed to the reporter
- January 29th We received an information destruction declaration from the reporter
- June 13th We notified affected users and disclosed the vulnerability
4. About LINE's Bug Bounty Program
We continue to accept vulnerability reports via the LINE Security Bug Bounty.
As of June 2019 the following vulnerabilities have been recognized as valid:
To keep the operations of LINE Group transparent, we will continue to disclose significant vulnerabilities.
Inquiry form : https://contact-cc.line.me/en/10095/ (until July 12th 2019)