Thank you LINE Corp, and my new chapter at TikTok Sydney 2025

It’s been a really long time since I updated my blog. Life happened, things changed, and here I am writing about it. I just left LINE Corporation after 4 years and joined TikTok as a Senior Application Security Engineer. So I figured, why not write about it?

Life as an AppSec Engineer in LINE Corporation (Sept 2021 – Sept 2025)

Four years. That’s a long time. And honestly, it was a great five years.

The two people I want to call out first are 강흥수 님 — my direct leader — and 이승진 님 — our CISO. Both of them are genuinely great leaders and I want to say that publicly. Kang-nim and Seungjin-nim, if you ever stumble on this blog, thank you.

Kang-nim just approves stuff, haha

Kang-nim has this superpower where whenever I feel like something should be automated, I’d bring him a half-baked idea and he’d just… approve it. Every single time. I built a bunch of internal tools for daily pentest work, and honestly, most of them were barely used by anyone else in the company haha. Probably just me using them for my own workflow. But he’d approve anyway.

Then in 2025 I had a presentation about one of my tools for the whole LINE Corp — and it took place at the LINE Corp headquarters in Japan. That was a wild experience. Standing in front of the whole company presenting a tool that… mostly I used myself lmao. But hey, it counts.

Bug bounty handling — where I actually learned tons

Kang-nim was also the one who pulled me into being a bug bounty handler for LINE Corp. And that is where I genuinely absorbed an enormous amount of knowledge. Reading real bug reports every day, evaluating them, talking to researchers — it hits different compared to just doing pentest internally.

Some of the things I learned deeply through that:

  • Cache poisoning
  • DNS system misconfigurations — subdomain takeovers, dangling CNAMEs, all that fun stuff
  • HTTP request smuggling — CL.TE, TE.CL, all the variants

These are the kinds of bugs that, when you see them land in a real bug bounty report with a real impact, they click in a completely different way than reading a writeup ever could. I’m really grateful Kang-nim threw me into that.

Oh and yea, another shout out is to https://x.com/03sunf . We collaborated so hard on multiple H1 tickets, and sharing CTF challenges for LINE CTF 2023, 2024, 2025, 2026. It was a great memory knowing you guys.

The thing that felt missing

That said — I’d be lying if I said everything was perfect.

The Vietnam team’s day-to-day was mostly: pentest, pentest, pentest. Some days you’d find something spicy — an IDOR that affects a whole cluster, or an SSRF — and that’s exciting for like a day. But then it’s back to the queue. Repeat. Some days honestly felt boring.

What I was always craving was work that actually moves the needle at company scale. Not just “find bug, report, close ticket”. I wanted to build things, design systems, contribute to something bigger. That itch never really went away.

A small chapter in mid 2023

I was always the type who planned to stay in Vietnam for life. Settle down, be comfortable. But mid 2023, some bad things happened in my personal life. My friends know that. I won’t go into detail here — some things are better kept offline. I’ll just say: that’s life. Small chapter, you turn the page, you keep going.

The TikTok chapter (Sept 2025 – present)

Getting the interview

Mid 2025, I got an email from TikTok Sydney for an interview. My first reaction was genuinely: why not? I wasn’t actively looking. I had a girlfriend in Vietnam, I was comfortable. But she actually encouraged me to go for it. So I did.

The interview itself

Unlike dev interviews, there’s no LeetCode. Thank god. Instead, TikTok had me cover a lot of knowledge — basically everything I’d picked up from years of pentest and bug bounty handling got tested here.

Knowledge round:

  • XSS — different types, can a reflected header cause XSS?
  • CSRF — what it is, why it wasn’t in the OWASP Top 10 in 2016 anymore
  • Cache poisoning vs cache deception
  • SSRF — how to prevent it
  • HTTP request smuggling
  • My pentest methodology
  • Android — reviewing AndroidManifest, simple intent handling bugs

Then they gave me a small webapp and asked me to find all the bugs/risks and show it to them. Just some simple chain between: SQLi, SSTI, RCE, some XSS, some IDORs, some LFI bla bla.

We also had some discussion-style questions: how security is changing, what I’m most passionate about. I told them I love doing things that scale, things that are carefully designed so the system is secured by design rather than patched after the fact. I talked about how I love the Android app architecture — the way each app is sandboxed from each other by design. That kind of thinking genuinely excites me.

Then some casual small talk, how’s life, etc.

Then they sent me an offer. The pay difference between Vietnam dong and what TikTok offered is… I genuinely couldn’t turn it down. They basically threw a bag of money in my face and said “come work here”. So I did haha.

6 months in — honestly really enjoying it

It’s been close to 6 months now and I’m genuinely happy. The work split here is roughly:

  • ~30% traditional pentest work
  • ~70% larger-scale projects that actually impact the company at scale

I can’t share specifics about what I’m working on — standard stuff — but I’ll say this: my work is actually impacting things at a large scale. That itch I had at LINE? Getting scratched daily now. The pay is good. Life is good. It’s just quite lonely here in Sydney T.T

The people here are insane (in a good way)

This is probably the most surreal part. The caliber of engineers I’ve met here is just on another level.

  • A 10+ years Google Senior Security Engineer who left Google for TikTok — the guy is scary smart
  • Someone who sold their company for millions of dollars
  • A guy who’s earned hundreds of thousands from bug bounties alone
  • And some others I can’t really talk about publicly, but trust me, the stuff they’ve done is wild

Everyone here has autism haha. And I mean that in the best way possible. Like, if you’re not a little obsessed, why would you even choose security as a career? Security engineers are the type of people who spend 20 hours straight trying to understand how something works under the hood, just because they need to know — and then try to break it with some completely left-field thinking. That’s just the vibe here.

Anyway. That’s the update. If you’re reading this: thanks for sticking around on this blog even when I disappear for long stretches. More technical posts coming, I promise. Happy hacking!

Sydney 1 Sydney 2 Sydney 3