Cybozu Bug Bounty Program

The Bug Bounty Program was started in June, 2014. We will pay a reward as a token of our gratitude for those who discover and report vulnerabilities in our packaged products or on our cloud services. The maximum reward per vulnerability is 1,000,000 yen.We also provide the "bug bounty testing environment program" so that you can conduct tests safely without considering any impact on the production environment. To make a report about a vulnerability you discovered, click here.

Program Overview

Program Purpose

The Bug Bounty Program is a system intended to early discover and remove zero-day vulnerabilities that might exist in services provided by Cybozu.


Program Period

April 20, 2019 - December 18, 2019

This period is the inform the reward of the report that is certified as vulnerability.
The report outside this period will be processed in the program next year's program rules.


Vulnerability information acceptance period

We will accept vulnerability information at any time.


Participation Requirements

Anyone can participant as long as they fulfill the following requirements:


  • You are not an employee of Cybozu Inc. or its subsidiary companies.
  • You can communicate with Cy-PSIRT in Japanese or English.
  • You can provide equipment available to access a tested environment. There are no restrictions on what kind of equipment can be used.
  • You agree with the terms and conditions.

Steps in This Program

  1. Apply for the bug bounty testing environment program
    ※Optionally
  2. Test
  3. Report
  4. Get evaluated
  5. Receive rewards

Applicable Products, Services, and Web Sites.

Products and Services

Cloud Services
  • cybozu.com administration
    ※Except for "Contact Us" function
  • Cybozu Office on cybozu.com
  • Garoon on cybozu.com
  • kintone
  • Mailwise on cybozu.com
  • Client Certificate Authentication
  • cybozu.com Store
  • cybozu.com operational base
Packaged Products
  • Cybozu Office
  • Mailwise
  • Garoon 4
  • Full text search server 2.0
Mobile Services
  • Cybozu(R) KUNAI
  • kintone Mobile
  • Mailwise Mobile
  • サイボウズ Office 新着通知 (Cybozu Office New Notifications)
    ※ Japanese version only
Peripheral Services
  • Garoon API
  • kintone API (REST API and JavaScript API)
  • User API
  • Marketplace
  • Cybozu Remote Service
  • Cybozu Desktop 2

Web Sites

※Target domains : "cybozu.com" "kintone.com" "cybozu.cn"

Service Introduction Web Sites
Product Web sites https://www.cybozu.com
https://www.kintone.com
Related Web Sites
Help Web sites https://help.kintone.com
https://help.cybozu.cn
cybozu.com operating status https://status.cybozu.com
https://status.kintone.com
Cybozu CDN https://js.cybozu.com
https://js.kintone.com
https://js.cybozu.cn
Others https://blog.kintone.com

Restrictions and Prohibitions

If a penetration tester interferes with the operations of our services, we may take measures such as blocking their access to our services without any prior warning, thereby restricting its participation in the system in the future. For details, please confirm to Article 6 "Restrictions and Prohibitions" of the terms.

1. Environments in Which Security Testing Is Prohibited
  • (subdomain).cybozu.com
  • (subdomain).kintone.com
  • (subdomain).cybozu.cn
  • Web sites with domain names that end with "co.jp"
  • Web sites that are not listed as the applicable sites
  • https://cybozu.net
2. Function in Which Security Testing Is Prohibited
  • "Contact Us" function of cybozu.com administration
3. Load Testing Is Prohibited

Do not implement testing methods that put a considerable load on the environment. Also, do not conduct testing with the purpose of putting load on the environment.

How Rewards Are Calculated

Products and Services

CVSS v3 base score of "9.0" to "10" x Rate of "50,000 yen"

CVSS v3 base score of "7.0" to "8.9" x Rate of "30,000 yen"

CVSS v3 base score of "0.0" to "6.9" x Rate of "10,000 yen"

Special rewards

Vulnerability type

SQL Injection
CVSS v3 base score of "6.9 or less":The above calculation x 3

RCE:1,000,000 yen(flat rate)

Product type

kintone, kintone Mobile, cybozu.com administration, and cybozu.com operational base: The above calculation x 5

Garoon: The above calculation x 2

See the "Cybozu Bug Bounty Program Rulebook" to learn the calculation method in detail.
Note that information on how much reward a reporter receives is not disclosed to anyone other than the reporter.

About CVSS v3 Base Score

CVSS is an open and all-purpose method of evaluating vulnerabilities in information systems. It represents the severity of a vulnerability with a number value from "0.0" to "10.0". For details, click here.(FIRST's Web site)


Web Sites

1 vulnerability × 20,000 yen = Reward amount

RCE:1 vulnerability x 1,000,000 yen (flat rate)

Rewards for vulnerabilities found on Web sites are calculated by applying the fixed rate described above. CVSS v3 is not applied even when the vulnerability is found in CGI, JavaScript, or other programs. For a list of applicable Web sites, see the tables above in the section "Applicable Products, Services, and Web Sites"

Donating Rewards

You can donate earned rewards to an OSS community selected by Cybozu, instead of claiming the reward. If you choose to donate your reward, Cybozu also will donate the same amount as your reward to the OSS community. For details about donations, see the "Cybozu Bug Bounty Program Rulebook".

Report

Report from the Web Form

Report Form for Vulnerability Information

Report by E-mail

email:productsecurity@cybozu.co.jp
Be sure to include the following information:

  • Confirmation of Participation in the Bug Bounty Program
    • I agree with the terms of the bugbounty program and report.
    • I will report only without participating in the bugbounty program.

      We will pay a reward as a token of our gratitude for those who discover and report vulnerabilities.
      ※ In case of not covered products, you cannot acquire the reward.

  • Your name:(Write your name.)
  • Summary:(Briefly summarize what kind of problem occurs.)
  • Environment in which you found the vulnerability: (Be precise in describing the operation system, browser, and so on, so that the problem can be reproduced.)
  • How to reproduce:(Describe how to reproduce the problem in detailed steps.)

Please contact us from the following e-mail address when you inform us of security incidents on uncovered Web Sites.
※ In case of not covered Web Sites, you cannot acquire the reward.

CSIRT Description

Contact Us

This program is managed by the PSIRT in Cybozu, Inc., called Cy-PSIRT. All inquiries regarding this program must be made by e-mail or by using the Web form. Inquiries made by other methods will not be answered.

System Details

Bug Bounty Testing Environment Program

The bug bounty testing environment program is provided for those who want to cooperate to improve the quality of our services.


Application Requirements

  • You agree with the terms and conditions of the application.
  • You can communicate in Japanese or English.
  • You are not an employee of Cybozu Inc. or its subsidiary companies.
  • You can provide equipment available to access a tested environment. There are no restrictions on what kind of equipment can be used.

Services and Products Available for Testing

Cloud Services

With the bug bounty testing environment program, we provide a system that is on physically separate servers and lines from the production environment. You can conduct tests safely without considering any impact on the production environment.

Notes

Services provided through the bug bounty testing environment program are running in "debug mode". If an error occurs on a service that is running in "debug mode", detailed information about the error will be displayed on the screen. The information on such error screens is provided for our debugging, and it is out of scope from your vulnerability testing.
Also, do not conduct testing with the purpose of putting load on the environment.

Packaged Products

To test a packaged product, you need to set up an environment by yourself. If you want to test a product in greater detail, we can provide a license available for testing. For details, please contact the Cy-PSIRT office(pentest@cybozu.co.jp).

  • Cybozu Office 10
  • Cybozu Garoon 4
  • Cybozu Mailwise 5
  • Remote Service
  • KUNAI

Application and Inquiry

Apply for Bug Bounty Testing Environment Program