Cybozu Bug Bounty Program

The Bug Bounty Program was started in June, 2014. We will pay a reward as a token of our gratitude for those who discover and report vulnerabilities in our applicable Products. The maximum reward per vulnerability is 2,000,000 yen.We also provide the "bug bounty testing environment program" so that you can conduct tests safely without considering any impact on the production environment.

Program Overview

Program Purpose

The Bug Bounty Program is a system intended to early discover and remove zero-day vulnerabilities that might exist in services provided by Cybozu.

Vulnerability information acceptance period

We will accept vulnerability information at any time.

Participation Requirements

Anyone can participant as long as they fulfill the following requirements:

  • You are not an employee of Cybozu or its subsidiary companies as of the time of reporting.
  • You don't work for Cybozu or its subsidiary companies as of the time of reporting under a contract such as a work delegation agreement, secondment agreement, dispatching agreement or the like.
  • You have not been employed as regular fulltime employees of Cybozu or its subsidiary companies in the past year.
  • You have not worked in the product development and cloud service operation related work at Cybozu or its subsidiary companies in the past year.
  • You can communicate with Cy-PSIRT in Japanese or English.
  • You can provide equipment available to access a tested environment. There are no restrictions on what kind of equipment can be used.
  • You agree with the terms and conditions.

Steps in This Program

Please send vulnerability report via reporting site.
To use the reporting site, you need to apply for an account. You can apply for an account from the form.

  1. Apply for the bug bounty testing environment program
    ※Optionally
  2. Test
  3. Report
  4. Get evaluated
  5. Receive rewards

Applicable Products, Services, and Web Sites.

Products and Services

Cloud Services
  • cybozu.com administration
    ※Except for "Contact Us" function
  • Cybozu Office on cybozu.com
  • Garoon on cybozu.com
  • kintone
  • Mailwise on cybozu.com
  • Client Certificate Authentication
  • cybozu.com Store
  • cybozu.com operational base
Mobile Services
  • kintone Mobile
  • Cybozu Office Mobile
    ※ Japanese version only
Peripheral Services
  • Garoon API
  • kintone API (REST API and JavaScript API)
  • User API
  • kintone Marketplace
  • Cybozu Desktop2 (for Windows)

Web Sites

Service Introduction Web Sites
Product Web sites https://www.cybozu.com
How to log in https://cybozu.co.jp/customer/howtologin/
Let's try! Create a kintone App https://kintone.cybozu.co.jp/try-kintone-app-builder/
About Private Program

We will invite some participants to "private program" that we will allow testing products that are not covered by regular program or under conditions that differ from regular rules.
For details, we will only contact each private program participant individually. Please note that we will not disclose the details to anyone other than the participants.

Restrictions and Prohibitions

If you interfere with the operations of our services, we may take measures such as blocking their access to our services without any prior warning, thereby restricting its participation in the program in the future. For details, please confirm to Article 6 "Restrictions and Prohibitions" of the terms.

1. Prohibition of Testing in Environments Not Covered by Cybozu Bug Bounty Program

Vulnerability testing is prohibited for the products, Web sites, and domains that are not listed in "Applicable Products, Services, and Web Sites".
Furthermore, vulnerability testing for our cloud products is only allowed for (subdomain).cybozu-dev.com.

2. Function in Which Security Testing Is Prohibited
  • "Contact Us" function of cybozu.com administration
3. Load Testing Is Prohibited

You cannot perform testing that puts a considerable load on the environment.

Rewards

Products and Services

We determine the reward amount based on the vulnerability type.
Note that information on how much reward a reporter receives is not disclosed to anyone other than the reporter.
For details, refer to "Cybozu Bug Bounty Program Rulebook".

Vulnerability type kintone(*1)
cybozu.com administration(*1)
cybozu.com Store
kintone Marketplace 		Garoon(*1)
Mailwise
Cybozu Office 		cybozu.com operational base
Client Certificate Authentication
Cybozu Desktop2 (for Windows)
RCE 2,000,000 yen (flat rate) 2,000,000 yen (flat rate) 2,000,000 yen (flat rate)
SQL injection 400,000 ~ 1,600,000 yen 100,000 ~ 1,000,000 yen
XSS 100,000 ~ 400,000 yen 50,000 ~ 200,000 yen
Injection (Except for SQL injection) 50,000 ~ 350,000 yen 40,000 ~ 200,000 yen
Permissions, Privileges, and Access Controls 200,000 ~ 800,000 yen 50,000 ~ 400,000 yen
Mobile app specific vulnerability 10,000 ~ 2,000,000 yen
(Applicable:kintone Mobile) 		10,000 ~ 2,000,000 yen
(Applicable:Cybozu Office Mobile)
Others 10,000 ~ 2,000,000 yen 10,000 ~ 2,000,000 yen 10,000 ~ 2,000,000 yen

(*1)Includes APIs provided by each product

For details on how to judge vulnerability information in Cybozu Bug Bounty Program, see "Vulnerability Identification Guidelines".

Web Sites

RCE : 1,000,000 Japanese Yen (Fixed)

Others : 20,000 Japanese Yen (Fixed)

Rewards for vulnerabilities found on Web sites are calculated by applying the fixed rate described above even when the vulnerability is found in CGI, JavaScript, or other programs. For a list of applicable Web sites, see the tables above in the section "Applicable Products, Services, and Web Sites".

Donating Rewards

You can donate earned rewards to an OSS community selected by Cybozu, instead of claiming the reward. If you choose to donate your reward, Cybozu also will donate the same amount as your reward to the OSS community. For details about donations, see the "Cybozu Bug Bounty Program Rulebook".

Report

Report from the Reporting Site

Regarding how to inform us about vulnerability information, refer to the following page for details. Please note that you cannot acquire the reward if you report vulnerabilities without using the reporting site.

Vulnerability Report

Please contact us from the following e-mail address when you inform us of security incidents on uncovered Web Sites.
* You cannot acquire the reward if you report vulnerabilities related to sites other than the applicable Web sites.

CSIRT Description

Contact Us

This program is managed by Cy-PSIRT. Through the reporting site, you can contact us with your question about reporting vulnerabilities under this program. As for other questions, you can also contact us at our e-mail address.
If you send vulnerability report to our email, you can not acquire the reward.

System Details

Bug Bounty Testing Environment Program

The bug bounty testing environment program is provided for those who want to cooperate to improve the quality of our services.

Application Requirements

  • You agree with the terms and conditions of the application.
  • You can communicate in Japanese or English.
  • You are not an employee of Cybozu Inc. or its subsidiary companies.
  • You can provide equipment available to access a tested environment. There are no restrictions on what kind of equipment can be used.

Services and Products We Provide

Cloud Services

With the bug bounty testing environment program, we provide a system that is on physically separate servers and lines from the production environment. You can conduct tests safely without considering any impact on the production environment.

Notes

1. Do not conduct testing with the purpose of putting load on the test environments.

2. Services provided through the bug bounty testing environment program are running in "debug mode". If an error occurs on a service that is running in "debug mode", detailed information about the error will be displayed on the screen. The information on such error screens is provided for our debugging, and it is out of scope from your vulnerability testing.

3. The bug bounty testing environment will be down once a month for scheduled maintenance. We will notify you in advance of the maintenance, but the notification may be sent at the last minute due to circumstances beyond our control. Please also note that the maintenance may be performed multiple times during a month due to emergencies such as unscheduled maintenance.

Application and Inquiry

To apply for the verification environment and participate in the bug bounty program

Please apply for the verification environment from the Reporting Site.
If you need the Reporting Site Account, please apply from here.

To apply for the verification environment without participating in the bug bounty program

Please apply from the following form.

Apply for Bug Bounty Testing Environment Program