Cybozu Bug Bounty Program


Bug Bounty Program

I found a vulnerability. How do I report it?

Please use Cybozu’s dedicated report website (the Reporting Site). An account is required for submitting reports.

How do I get an account for submitting reports?

Please request an account using the Reporting Site Account Request Form.

How do I report a vulnerability without participating in the Bug Bounty Program?

Please submit your report using the Vulnerability Report Form. If you already have a Reporting Site account, please contact us using the Inquiry Form excluding vulnerability reports.

What is a security incident?

A security incident is a security-related problem that negatively affects Cybozu’s assets, such as phishing, loss of equipment, leaks, and tampering. If you discover a security incident, please contact us using this form (Japanese only), or by email.
Note that if you report a problem with a website that is not covered by the Bug Bounty Program, you will not be eligible for a reward.

I found a vulnerability on one of your websites. Are all of your websites covered by the Bug Bounty Program?

Not all websites are covered by the Bug Bounty Program. Please check which products are covered.

How do I receive my reward?

You can receive the reward by wire transfer, or donate it to OSS communities specified by Cybozu.
If you select wire transfer, the reward will be transferred to your bank account. If you decide to donate it, the donation will be made to a recipient designated by Cybozu.
Please refer to the Cybozu Bug Bounty Program Rulebook for more information about donations.

When is the reward paid out?

The reward is paid out two months after the issue you reported has been processed, on the last business day of that month.

Do you publish information about the Bug Bounty Program on social media or through other channels?

Updated rankings and other information related to the program are posted intermittently on Cybozu's Official X (formerly Twitter) account.
We also share information through our blog.

Reporting Site

What is the Reporting Site?

The Reporting Site allows bug reporters to communicate with Cybozu on Kintone.

Am I allowed to test vulnerabilities on the Reporting Site?

No, you are not allowed to do this on the Reporting Site. To test vulnerabilities, use the environment provided by the Vulnerability Testing Environment Program.
See Vulnerability Testing Environment Provided on the Reporting Site for information about your testing environment.

I forgot the password to my Reporting Site account.

Reset your password by navigating to I am not able to log in and entering your registered email address.
If you do not know your login name or registered email address, please contact us at

Am I allowed to post information online (social media, blog, etc.) about vulnerabilities I have discovered?

Please refer to Guidelines for Third Party Disclosure of Vulnerabilities.