Cybozu Bug Bounty Program
Cybozu Bug Bounty Program
We will pay a reward as a token of our gratitude for those who discover and report vulnerabilities in our applicable Products.
The maximum reward per vulnerability is 2,000,000 yen.
Program Overview
How to Participate in the Program and Report Vulnerabilities
If you would like to participate in the Bug Bounty Program, please report a vulnerability using the Reporting Site.
You will need an account to report a vulnerability on the Reporting Site. Please click Account Request below to request one.
Please note that any reports made outside the Reporting Site will not be eligible for the reward payment. For reporting a vulnerability, please access the Vulnerability Report page.
Participation Requirements
Anyone can participant as long as they fulfill the following requirements:
- •You are not an employee of Cybozu or its subsidiary companies as of the time of reporting.
- •You don't work for Cybozu or its subsidiary companies as of the time of reporting under a contract such as a work delegation agreement, secondment agreement, dispatching agreement or the like.
- •You have not been employed as regular fulltime employees of Cybozu or its subsidiary companies in the past year.
- •You have not worked in the product development and cloud service operation related work at Cybozu or its subsidiary companies in the past year.
- •You can communicate with Cy-PSIRT in Japanese or English.
- •You can provide equipment available to access a tested environment. There are no restrictions on what kind of equipment can be used.
- •You agree with the terms and conditions.
Restrictions and Prohibitions
If you interfere with the operations of our services, we may take measures such as blocking their access to our services without any prior warning, thereby restricting its participation in the program in the future. For details, please confirm to Article 6 “Restrictions and Prohibited Matters” of the terms
1. Prohibition of Testing in Environments Not Covered by Cybozu Bug Bounty Program
Vulnerability testing is prohibited for the products, Web sites, and domains that are not listed in "Applicable Products, Services, and Web Sites". Furthermore, vulnerability testing for our cloud products is only allowed for (subdomain).cybozu-dev.com.
2. Function in Which Security Testing Is Prohibited
"Contact Us" function of cybozu.com Administration
3. Load Testing Is Prohibited
You cannot perform testing that puts a considerable load on the environment.
Vulnerability Testing Environment Program
We provide the " vulnerability testing environment program" so that you can conduct tests safely without considering any impact on the production environment.
Please refer to the following page for details.
Scope
Products and Services
Cloud Services
- ・cybozu.com Administration
※Except for "Contact Us" function
・Cybozu Office on cybozu.com
・Garoon on cybozu.com
・kintone -
・Mailwise on cybozu.com
・Client Certificate Authentication
・cybozu.com Store
・cybozu.com operational base
Peripheral Services
- ・Garoon API
・kintone API (REST API and JavaScript API)
・User API
・kintone Marketplace
・Cybozu Desktop2 (for Windows)
Mobile Services
- ・kintone Mobile
・Cybozu Office Mobile ※ Japanese version only
・Cloud edition Garoon Mobile
About Private Program
We will invite some participants to "private program" that we will allow testing products that are not covered by regular program or under conditions that differ from regular rules.For details, we will only contact each private program participant individually. Please note that we will not disclose the details to anyone other than the participants.
Web Sites
Rewards
Products and Services
We determine the reward amount based on the vulnerability type.Note that information on how much reward a reporter receives is not disclosed to anyone other than the reporter.For details, refer to "Cybozu Bug Bounty Program Rulebook".
kintone(*1)/cybozu.com Administration(*1)/cybozu.com Store/
kintone Marketplace
-
RCE
: 2,000,000 yen (flat rate)
-
SQL injection
: 400,000 ~ 1,600,000 yen
-
XSS
: 100,000 ~ 400,000 yen
-
Injection (Except for SQL injection)
: 50,000 ~ 350,000 yen
-
Permissions, Privileges, and Access Controls
: 200,000 ~ 800,000 yen
-
Mobile app specific vulnerability
: 10,000 ~ 2,000,000 yen(Applicable:kintone Mobile)
-
Others
: 10,000 ~ 2,000,000 yen
(*1) Includes APIs provided by each product
Garoon(*1)/Mailwise/Cybozu Office
-
RCE
: 2,000,000 yen (flat rate)
-
SQL injection
: 100,000 ~ 1,000,000 yen
-
XSS
: 50,000 ~ 200,000 yen
-
Injection (Except for SQL injection)
: 40,000 ~ 200,000 yen
-
Permissions, Privileges, and Access Controls
: 50,000 ~ 400,000 yen
-
Mobile app specific vulnerability
: 10,000 ~ 2,000,000 yen(Applicable:Cybozu Office Mobile,Cloud edition Garoon Mobile)
-
Others
: 10,000 ~ 2,000,000 yen
(*1) Includes APIs provided by each product
cybozu.com operational base/Client Certificate Authentication/
Cybozu Desktop2 (for Windows)
-
RCE
: 2,000,000 yen (flat rate)
-
Others
: 10,000 ~ 2,000,000 yen
For details on how to judge vulnerability information in Cybozu Bug Bounty Program, see "Vulnerability Identification Guidelines".
Web Sites
-
RCE
: 1,000,000 yen (flat rate)
-
Others
: 20,000 yen (flat rate)
Rewards for vulnerabilities found on Web sites are calculated by applying the fixed rate described above even when the vulnerability is found in CGI, JavaScript, or other programs. For a list of applicable Web sites, see the tables above in the section "Applicable Products, Services, and Web Sites".
Contact us
Frequently Asked Questions (FAQ)
Please check the frequently asked questions and answers before contacting us.
FAQContact Us
You can contact us at the Reporting Site with any questions or requests regarding the Bug Bounty Program.
If you do not have an account, you can also contact us by email.