Cybozu Bug Bounty Program
FAQ
Bug Bounty Program
I found a vulnerability. How do I report it?
Please use Cybozu’s dedicated report website (the Reporting Site). An account is required for submitting reports.
How do I get an account for submitting reports?
Please request an account using the Reporting Site Account Request Form.
How do I report a vulnerability without participating in the Bug Bounty Program?
Please submit your report using the Vulnerability Report Form. If you already have a Reporting Site account, please contact us using the Inquiry Form excluding vulnerability reports.
What is a security incident?
A security incident is a security-related problem that negatively affects Cybozu’s assets, such as phishing, loss of equipment, leaks, and tampering.
If you discover a security incident, please contact us using this form (Japanese only), or by email.
email:security@cybozu.co.jp
Note that if you report a problem with a website that is not covered by the Bug Bounty Program, you will not be eligible for a reward.
I found a vulnerability on one of your websites. Are all of your websites covered by the Bug Bounty Program?
Not all websites are covered by the Bug Bounty Program. Please check which products are covered.
How do I receive my reward?
You can receive the reward by wire transfer, or donate it to OSS communities specified by Cybozu.
If you select wire transfer, the reward will be transferred to your bank account. If you decide to donate it, the donation will be made to a recipient designated by Cybozu.
Please refer to the Cybozu Bug Bounty Program Rulebook for more information about donations.
When is the reward paid out?
The reward is paid out two months after the issue you reported has been processed, on the last business day of that month.
Do you publish information about the Bug Bounty Program on social media or through other channels?
Updated rankings and other information related to the program are posted intermittently on Cybozu's Official X (formerly Twitter) account.
We also share information through our blog.
Reporting Site
What is the Reporting Site?
The Reporting Site allows bug reporters to communicate with Cybozu on Kintone.
Am I allowed to test vulnerabilities on the Reporting Site?
No, you are not allowed to do this on the Reporting Site. To test vulnerabilities, use the environment provided by the Vulnerability Testing Environment Program.
See Vulnerability Testing Environment Provided on the Reporting Site for information about your testing environment.
I forgot the password to my Reporting Site account.
Reset your password by navigating to I am not able to log in and entering your registered email address.
If you do not have an account, please contact us using the form below.
https://cy-psirt.form.kintoneapp.com/public/inquery
Am I allowed to post information online (social media, blog, etc.) about vulnerabilities I have discovered?
Please refer to Guidelines for Third Party Disclosure of Vulnerabilities.
If you have previously applied for a reporting site account or the vulnerability testing environment provision program, what happens if you apply again using the same email address?
If you have previously signed up to one of our programs (the Vulnerability Testing Environment Program or the Bug Bounty Program), and you later sign up to the other program using the same email address, both sign-ups will be treated as coming from the same person. If you sign up to the other program with a different email address, your new sign-up will be treated as coming from a different person. If you wish to update the information associated with the email address you used previously, please contact us.
Note that if we do not see signs you are using your account for an extended period or if you request deletion of personal information, your personal details will be deleted in accordance with the rules for handling personal information in the Terms of Use of either the Vulnerability Testing Environment Program or Bug Bounty Program.
Bear in mind that once your details have been deleted, they can no longer be linked to your account if you sign up with a new email address.