Only test for vulnerabilities on web application stipulated in scope section. Any vulnerabilities reported on web applications out-of-scope are not eligible for bounty rewards.
This is a production environment. Please note the following things:
- Do not create account more than necessary to perform tests, and please
delete your account as soon as you finished your tests.
- Repetitive processing with tools are prohibited.
To be eligible for a bounty reward under this program you must to follow the
rules stipulated above.
Any vulnerability test against domains out-of-scope are explicitly prohibited.
Any violation on the Terms of Service of the “BugBounty.jp” and/or performance
of DoS (Denial of Service) attack or equivalent act that can degrade the
performance of our service are also explicitly prohibited.
Eligible For Bounty
- Authentication up to 50,000yen
- Command Injection up to 50,000yen
- Remote Code Execution up to 50,000yen
- SQL Injection up to 50,000yen
- Cross-Site Scripting up to 20,000yen
- Privilege Escalation up to 11,000yen
- Forced Browsing up to 11,000yen
- Cross-Site Request Forgery (CSRF) up to 9,000yen
- Information Disclosure up to 5,000yen
- Open Redirect up to 5,000yen
Not Eligible For Bounty
- Vulnerabilities found through automated scans or tools
- Hypothetical or theoretical vulnerabilities without actual verification code
- Vulnerabilities with capability of Denial of Service attack
- Vulnerabilities with capability of brute force against password or tokens
- Password, email and account policies, such as email id verification, reset link expiration, password complexity
- Login/Logout CSRF
- Missing CSRF tokens
- CSRF on forms that are available to anonymous users (e.g. contact form)
- Missing security headers
- Vulnerabilities found in domains out-of-scope
- Vulnerabilities affecting outdated browsers or platforms
- Presence of autocomplete attribute on web forms
- Missing secure flags on non-sensitive cookies
- Reports of insecure SSL/TLS ciphers
- Vulnerabilities with capability of username/email enumeration
- Descriptive error messages (e.g. Stack traces, application or server errors)
- Banner disclosure on servers
- Misconfiguration of SPF record, DMARC and DKIM
- Invalid HTTP method
For eligibility details, please refer to the "Terms of Service Article 4" of this site.
Hall of Fame