Cybozu Bug Bounty Program

The Bug Bounty Program was started in June, 2014. We will pay a reward as a token of our gratitude for those who discover and report vulnerabilities in our applicable Products. The maximum reward per vulnerability is 1,000,000 yen.We also provide the "bug bounty testing environment program" so that you can conduct tests safely without considering any impact on the production environment. To make a report about a vulnerability you discovered, click here.

Program Overview

Program Purpose

The Bug Bounty Program is a system intended to early discover and remove zero-day vulnerabilities that might exist in services provided by Cybozu.


Program Period

April 24, 2020 - December 18, 2020

This year's bug bounty will end on Fri, December 18, 2020 (JST).
In case your bug report comes after this date, it will be evaluated next year.


Vulnerability information acceptance period

We will accept vulnerability information at any time.


Participation Requirements

Anyone can participant as long as they fulfill the following requirements:


  • You are not an employee of Cybozu or its subsidiary companies as of the time of reporting.
  • You don't work for Cybozu or its subsidiary companies as of the time of reporting under a contract such as a work delegation agreement, secondment agreement, dispatching agreement or the like.
  • You have not been employed as regular fulltime employees of Cybozu or its subsidiary companies in the past.
  • You have not worked in the product development and cloud service operation related work at Cybozu or its subsidiary companies in the past.
  • You can communicate with Cy-PSIRT in Japanese or English.
  • You can provide equipment available to access a tested environment. There are no restrictions on what kind of equipment can be used.
  • You agree with the terms and conditions.

Steps in This Program

  1. Apply for the bug bounty testing environment program
    ※Optionally
  2. Test
  3. Report
  4. Get evaluated
  5. Receive rewards

Applicable Products, Services, and Web Sites.

Products and Services

Cloud Services
  • cybozu.com administration
    ※Except for "Contact Us" function
  • Cybozu Office on cybozu.com
  • Garoon on cybozu.com
  • kintone
  • Mailwise on cybozu.com
  • Client Certificate Authentication
  • cybozu.com Store
  • cybozu.com operational base
Mobile Services
  • Cybozu(R) KUNAI
  • kintone Mobile
  • Mailwise Mobile
  • サイボウズ Office 新着通知 (Cybozu Office New Notifications)
    ※ Japanese version only
Peripheral Services
  • Garoon API
  • kintone API (REST API and JavaScript API)
  • User API
  • Marketplace
  • Cybozu Desktop 2

Web Sites

※Target domains : "cybozu.com" "kintone.com" "cybozu.cn"

Service Introduction Web Sites
Product Web sites https://www.cybozu.com
https://www.kintone.com
Related Web Sites
Help Web sites https://help.kintone.com
https://help.cybozu.cn
cybozu.com operating status https://status.cybozu.com
https://status.kintone.com
Cybozu CDN https://js.cybozu.com
https://js.kintone.com
https://js.cybozu.cn
Others https://blog.kintone.com

Restrictions and Prohibitions

If a penetration tester interferes with the operations of our services, we may take measures such as blocking their access to our services without any prior warning, thereby restricting its participation in the system in the future. For details, please confirm to Article 6 "Restrictions and Prohibitions" of the terms.

1. Environments in Which Security Testing Is Prohibited
  • (subdomain).cybozu.com
  • (subdomain).kintone.com
  • (subdomain).cybozu.cn
  • Web sites with domain names that end with "co.jp"
  • Web sites that are not listed as the applicable sites
  • https://cybozu.net
2. Function in Which Security Testing Is Prohibited
  • "Contact Us" function of cybozu.com administration
3. Load Testing Is Prohibited

Do not implement testing methods that put a considerable load on the environment. Also, do not conduct testing with the purpose of putting load on the environment.

Rewards

Products and Services

The basic amount is calculated according to the vulnerability type. The amount of the reward is multiplied by ”the coefficients by product” on them.

Vulnerability type Rewards
RCE 1 million yen
SQL injection 60,000 ~ 250,000 yen
Injection (Except for SQL injection) 20,000 ~ 100,000 yen
Permissions, Privileges, and Access Controls 20,000 ~ 300,000 yen
Improper Input Validation 20,000 ~ 250,000 yen
XSS 40,000 ~ 65,000 yen
Others 10,000 ~ 300,000 yen
Product Coefficient
kintone, kintone Mobile, cybozu.com administration, and cybozu.com operational base ×5
Garoon ×2
Others ×1

For details on how to judge vulnerability information in Cybozu Bug Bounty Program, see "Vulnerability Identification Guidelines".

See the "Cybozu Bug Bounty Program Rulebook" to learn the calculation method in detail.
Note that information on how much reward a reporter receives is not disclosed to anyone other than the reporter.


Web Sites

1 vulnerability × 20,000 yen = Reward amount

RCE:1,000,000 yen (flat rate)

Rewards for vulnerabilities found on Web sites are calculated by applying the fixed rate described above even when the vulnerability is found in CGI, JavaScript, or other programs. For a list of applicable Web sites, see the tables above in the section "Applicable Products, Services, and Web Sites".

Donating Rewards

You can donate earned rewards to an OSS community selected by Cybozu, instead of claiming the reward. If you choose to donate your reward, Cybozu also will donate the same amount as your reward to the OSS community. For details about donations, see the "Cybozu Bug Bounty Program Rulebook".

Report

Report from the Reporting Site

Vulnerability Report

Please contact us from the following e-mail address when you inform us of security incidents on uncovered Web Sites.
※ In case of not covered Web Sites, you cannot acquire the reward.

CSIRT Description

Contact Us

This program is managed by the PSIRT in Cybozu, Inc., called Cy-PSIRT. All inquiries regarding this program must be made by using the Reporting site. We will accept any other inquiry via email.

System Details

Bug Bounty Testing Environment Program

The bug bounty testing environment program is provided for those who want to cooperate to improve the quality of our services.


Application Requirements

  • You agree with the terms and conditions of the application.
  • You can communicate in Japanese or English.
  • You are not an employee of Cybozu Inc. or its subsidiary companies.
  • You can provide equipment available to access a tested environment. There are no restrictions on what kind of equipment can be used.

Services and Products Available for Testing

Cloud Services

With the bug bounty testing environment program, we provide a system that is on physically separate servers and lines from the production environment. You can conduct tests safely without considering any impact on the production environment.

Notes

Services provided through the bug bounty testing environment program are running in "debug mode". If an error occurs on a service that is running in "debug mode", detailed information about the error will be displayed on the screen. The information on such error screens is provided for our debugging, and it is out of scope from your vulnerability testing.
Also, do not conduct testing with the purpose of putting load on the environment.


Application and Inquiry

To apply for the verification environment and participate in the bug bounty program

Please apply for the verification environment from the Reporting Site.
If you need the Reporting Site Account, please apply from here.

To apply for the verification environment without participating in the bug bounty program

Please apply from the following form.

Apply for Bug Bounty Testing Environment Program