Cybozu Bug Bounty Program

The Bug Bounty Program was started in June, 2014. We will pay a reward as a token of our gratitude for those who discover and report vulnerabilities in our packaged products or on our cloud services. A reward for a vulnerability starts from 1,000 yen and can go up to 500,000 yen at maximum. (If multiple vulnerabilities are detected from one vulnerability report, the maximum amount is 1,000,000 yen. However, the reward amount will vary during special offers.) We also provide the "bug bounty testing environment program" so that you can conduct tests safely without considering any impact on the production environment. To make a report about a vulnerability you discovered, click here.

Program Overview

Program Purpose

The Bug Bounty Program is a system intended to early discover and remove zero-day vulnerabilities that might exist in services provided by Cybozu.


Program Period

Wednesday, March 1, 2017 - Wednesday, December 20, 2017
※ Approximately one year after the start, we will review the program.


Participation Requirements

Anyone can participant as long as they fulfill the following requirements:


  • You are not an employee of Cybozu Inc. or its associated companies.
  • You can communicate with Cy-SIRT in Japanese or English.
  • You can provide equipment available to access a tested environment. There are no restrictions on what kind of equipment can be used.
  • You agree with the terms and conditions.

Steps in This Program

  1. Apply for the bug bounty testing environment program
    ※Optionally
  2. Test
  3. Report
  4. Get qualified
  5. Receive rewards

Applicable Products, Services, and Web Sites.

Products and Services

Cloud Services
  • cybozu.com administration and common settings
  • Cybozu Office on cybozu.com
  • Garoon on cybozu.com
  • kintone
  • Mailwise on cybozu.com
  • Client Certificate Authentication
  • cybozu.com Store
  • Cybozu Live
  • cybozu.com operational base
With the end of the service, Cybozu Live will be excluded from The Bug Bounty Program at 15:00 on Wed, Dec 20, 2017 (UTC).
Packaged Products
  • Cybozu Office
  • Cybozu Mailwise
  • Cybozu Garoon
  • Cybozu Full Text Search Server for Garoon
Mobile Services
  • Cybozu(R) KUNAI
  • Cybozu Remote Service
  • kintone android app
  • kintone iPhone app
  • サイボウズ Office 新着通知 (Cybozu Office New Notifications)
    ※ Japanese version only
  • Cybozu Live Timeline
Peripheral Services
  • Garoon API
  • kintone API (REST API and JavaScript API)
  • User API
  • Marketplace
  • Cybozu Desktop (Windows version and Mac version)
Security Testing in the Production Environment (the Environment Used by Our Customers)

You are not allowed to conduct security testing in the production environment. Do not act in such a way that would disturb other customers.

If a penetration tester interferes with the operations of our services, we may take measures such as blocking their access to our services without any prior warning.

Environments in Which Security Testing Is Prohibited
  • subdomain.cybozu.com
  • cybozulive.com
  • subdomain.kintone.com
  • subdomain.cybozu.cn

Web Sites

Service Introduction Web Sites
Product Web sites https://www.cybozu.com
https://www.kintone.com
kintone https://kintone.cybozu.com
Mailwise https://mailwise.cybozu.com
Related Web Sites
Help Web sites https://help.cybozu.com
https://help.kintone.com
https://help.cybozu.cn
cybozu.com operating status https://status.cybozu.com
https://status.kintone.com
Knowledge Base https://support.cybozu.com
Cybozu CDN https://js.cybozu.com
https://js.kintone.com
https://js.cybozu.cn
Security Testing for Web Sites

Web sites listed in the tables above are applicable for security testing. However, do not conduct testing that violates the following important points, or act in such a way that would disturb other customers. If a penetration tester interferes with the operations of our Web sites, we may take measures such as blocking their access to our services without any prior warning.

1. Load Testing Is Prohibited

Do not implement testing methods that put a considerable load on the environment. Also, do not conduct testing with the purpose of putting load on the environment.

2. A Specified E-mail Address Must Be Used for Testing

To test the forms that are on our Web sites, specify pentester@cybozutest.co.jp as the e-mail address.

How Rewards Are Calculated

The reward amount will vary during special offers.

Products and Services

CVSS v3 base score of "9.0" to "10" x Rate of "50,000 yen" = 450,000 to 500,000 yen

CVSS v3 base score of "7.0" to "8.9" x Rate of "30,000 yen" = 210,000 to 267,000 yen

CVSS v3 base score of "0.0" to "6.9" x Rate of "10,000 yen" = 0 to 69,000 yen

If Multiple Vulnerabilities Are Detected from One Vulnerability Report, the Maximum Amount Is 1,000,000 Yen

See the "Cybozu Bug Bounty Program Rulebook" to learn in detail the method used for calculating rewards as well as the calculations that were added in 2017 or later.

About CVSS v3 Base Score

CVSS is an open and all-purpose method of evaluating vulnerabilities in information systems. It represents the severity of a vulnerability with a number value from "0.0" to "10.0". For details, click here.(FIRST's Web site)


Web Sites

1 vulnerability × 10,000 yen = Reward amount

Rewards for vulnerabilities found on Web sites are calculated by applying the fixed rate described above. CVSS v3 is not applied even when the vulnerability is found in CGI, JavaScript, or other programs. For a list of applicable Web sites, see the tables above in the section "Applicable Products, Services, and Web Sites"

Donating Rewards

You can donate earned rewards to an OSS community selected by Cybozu, instead of claiming the reward. If you choose to donate your reward, Cybozu also will donate the same amount as your reward to the OSS community. For details about donations, see the "Cybozu Bug Bounty Program Rulebook".

Report

Report from the Web Form

Report Form for Vulnerability Information

Report by E-mail

email:productsecurity@cybozu.co.jp
Be sure to include the following information:

  • Your name:(Write your name.)
  • Summary:(Briefly summarize what kind of problem occurs.)
  • Environment in which you found the vulnerability: (Be precise in describing the operation system, browser, and so on, so that the problem can be reproduced.)
  • How to reproduce:(Describe how to reproduce the problem in detailed steps.)

Contact Us

This program is managed by the CSIRT in Cybozu, Inc., called Cy-SIRT. All inquiries regarding this program must be made by e-mail or by using the Web form. Inquiries made by other methods will not be answered.

System Details

Bug Bounty Testing Environment Program

The bug bounty testing environment program is provided for those who want to cooperate to improve the quality of our services.


Application Requirements

  • You agree with the terms and conditions of the application.
  • You can communicate in Japanese or English.
  • You are not an employee of Cybozu Inc. or its associated companies.
  • You can provide equipment available to access a tested environment. There are no restrictions on what kind of equipment can be used.

Services and Products Available for Testing

Cloud Services

With the bug bounty testing environment program, we provide a system that is on physically separate servers and lines from the production environment. You can conduct tests safely without considering any impact on the production environment.

Notes

Services provided through the bug bounty testing environment program are running in "debug mode". If an error occurs on a service that is running in "debug mode", detailed information about the error will be displayed on the screen. The information on such error screens is provided for our debugging, and it is out of scope from your vulnerability testing.

Packaged Products

To test a packaged product, you need to set up an environment by yourself. If you want to test a product in greater detail, we can provide a license available for testing. For details, please contact the Cy-SIRT office(pentest@cybozu.co.jp).

  • Cybozu Office 10
  • Cybozu Garoon 4
  • Cybozu Mailwise 5
  • Remote Service
  • KUNAI

Application and Inquiry

Apply for Bug Bounty Testing Environment Program