I found a vulnerability. How do I report it?

Please use Cybozu’s dedicated report website (the Reporting Site). An account is required for submitting reports.

How do I get an account for submitting reports?

Please request an account using the Reporting Site Account Request Form.

How do I report a vulnerability without participating in the Bug Bounty Program?

Please submit your report using the Vulnerability Report Form. If you already have a Reporting Site account, please contact us using the Inquiry Form excluding vulnerability reports.

What is a security incident?

A security incident is a security-related problem that negatively affects Cybozu’s assets, such as phishing, loss of equipment, leaks, and tampering. If you discover a security incident, please contact us using this form (Japanese only), or by email.
email：security@cybozu.co.jp
Note that if you report a problem with a website that is not covered by the Bug Bounty Program, you will not be eligible for a reward.

I found a vulnerability on one of your websites. Are all of your websites covered by the Bug Bounty Program?

Not all websites are covered by the Bug Bounty Program. Please check which products are covered.

How do I receive my reward?

You can receive the reward by wire transfer, or donate it to OSS communities specified by Cybozu.
If you select wire transfer, the reward will be transferred to your bank account. If you decide to donate it, the donation will be made to a recipient designated by Cybozu.
Please refer to the Cybozu Bug Bounty Program Rulebook for more information about donations.

When is the reward paid out?

The reward is paid out two months after the issue you reported has been processed, on the last business day of that month.

Do you publish information about the Bug Bounty Program on social media or through other channels?

Updated rankings and other information related to the program are posted intermittently on Cybozu's Official X (formerly Twitter) account.
We also share information through our blog.