Cybozu Bug Bounty Program
Bug Bounty Program
I found a vulnerability. How do I report it?
Please use Cybozu’s dedicated report website (the Reporting Site). An account is required for submitting reports.
How do I get an account for submitting reports?
Please request an account using the Reporting Site Account Request Form.
How do I report a vulnerability without participating in the Bug Bounty Program?
What is a security incident?
A security incident is a security-related problem that negatively affects Cybozu’s assets, such as phishing, loss of equipment, leaks, and tampering.
If you discover a security incident, please contact us using this form (Japanese only), or by email.
Note that if you report a problem with a website that is not covered by the Bug Bounty Program, you will not be eligible for a reward.
I found a vulnerability on one of your websites. Are all of your websites covered by the Bug Bounty Program?
Not all websites are covered by the Bug Bounty Program. Please check which products are covered.
How do I receive my reward?
You can receive the reward by wire transfer, or donate it to OSS communities specified by Cybozu.
If you select wire transfer, the reward will be transferred to your bank account. If you decide to donate it, the donation will be made to a recipient designated by Cybozu.
Please refer to the Cybozu Bug Bounty Program Rulebook for more information about donations.
When is the reward paid out?
The reward is paid out two months after the issue you reported has been processed, on the last business day of that month.
What is the Reporting Site?
The Reporting Site allows bug reporters to communicate with Cybozu on Kintone.
Am I allowed to test vulnerabilities on the Reporting Site?
No, you are not allowed to do this on the Reporting Site. To test vulnerabilities, use the environment provided by the Vulnerability Testing Environment Program.
See Vulnerability Testing Environment Provided on the Reporting Site for information about your testing environment.
I forgot the password to my Reporting Site account.
Reset your password by navigating to I am not able to log in and entering your registered email address.
If you do not know your login name or registered email address, please contact us at firstname.lastname@example.org.
Am I allowed to post information online (social media, blog, etc.) about vulnerabilities I have discovered?
Please refer to Guidelines for Third Party Disclosure of Vulnerabilities.