Frequently Asked Questions and Answers
Q What is a bug bounty program?
A bug bounty program is an initiative that rewards hackers with monetary payment for finding and reporting a system vulnerability※ in a company’s web services or applications.
Each company determines the amount of bounty payment in advance based on the vulnerability level, and only pays for valid reports, making it a highly cost-effective way to improve security.
※Vulnerability is a potential security flaw in a computer or software caused by program flaws or design flaws.
Q What conditions are required to qualify for a bounty reward?
The client company must evaluate the bug report. To be eligible to receive bounty rewards, you must follow the conditions stipulated by the client company, and the reported bug must be recognized by the client company as a "valid bug", which can be reproduced and verified by the company.
Q Do you have any programs that offer non-monetary bounty rewards?
Yes, we do. You can check the various bounty rewards available on the program information page. Program without bounty rewards have points rewards.
Q How are the "Ranking" determined?
The ‘Hall of Fame’ rankings are based on the number of points the friendly hackers have received and are updated on a real-time basis.
Q How can I use/join in your program?
Q How much does it cost to use/join your program?
It's free for both companies to use and friendly hackers to join. Companies only pay a bounty for valid bugs that have been found and reported. The minimum bounty is 1,000 Yen.
Q Are there any eligibility requirements to join?
There are not restrictions on age or nationality. However, we are unable to pay bounties to anyone who resides in a country that is subject to economic sanctions imposed by the Japanese government (e.g. North Korea, Iran). With regard to minors, please see our "Terms of Service"
With regard to client companies, we can only provide service to those companies which are registered in Japan.
Q I'm not living in Japan, can I join as researcher?
Yes, as long as you meet the required conditions as mentioned above.
Q Do the bug reports have to be in Japanese?
No, we will accept reports in English and Japanese.
Q How are bug reports issued?
Generally, the friendly hackers will send a report of their findings directly to the client company. Companies who require extra security analysis in relation to bug reports can use the "Triage Service" option to receive expert support from Sprout's security specialists.
Q How does BugBounty.jp manage the bug information reported?
The bug information reported is safely stored on Sprout’s servers, and is only made available to the security expert who reported the bug information, the client company, and Sprout's management team. All communication is encrypted with SSL.
Q How can I communicate with a company that I have reported a bug to?
You can communicate with companies through the "Timeline" section of the Report page (messages can be written and posted from the comment box found near the bottom).
Q Can I find out why my report was deemed as not valid?
Yes, you will be notified of the reason the report was rejected. If you have a question or comment regarding the given explanation, you can contact the company through the Timeline.
Q Can I receive bounty rewards for reporting a bug that has also been reported by others?
In cases where multiple people have reported the same bug, the bounty reward will only be paid to the first person to report it.
Q Can I see report details filed by others?
No, only the person who reported the bug, the client company, and Sprout's management team have access to the reports.
Q Can I disclose any bugs that I have found to the public?
No, disclosing any information you have found through this site to the public is prohibited. For more details, please see the "Terms of Service"
Q How should I write a report?
Please write reports in accordance with the report page format, provide the reproduction steps and describe the impact.
Q Can I report using video?
No, we only accept written reports filed through the Timeline.
Q How and when do I receive the payment of a bounty rewarded?
Sprout will make payments for valid rewards at the end of the month following the month that your report was validated. For example, a reward validated on June 2nd and a reward validated on June 28th would both be paid at the end of July. You can choose to receive the payment to standard bank accounts or PayPal.
Q Is there any limitation to receive the payment of a bounty rewarded?
You may lose your eligibility for receiving the payment of a bounty rewarded if you do not provide the bank information (full name, physical address and bank wire transfer details) to Sprout within 90 days of the day your reward was validated (the date your reported bug was recognized as a “valid bug” and eligible for rewarded bounty payment).
Q Do I need to pay tax on payments I have received for bounty rewards?
Yes, you are responsible for reporting/paying the applicable taxes for your region/country.
Q Do I have to register my personal information to join?
To join our program, you need to register your email address. In order to receive payment for bounty rewards, you need to provide your real name, postal code, address, and account information.
Q Can anyone else see my data?
All personal user information is kept private. However, in the event that we are legally obligated to disclose user information pursuant to an investigation or court order (under Japanese law), we may disclose the required user information after consulting with an attorney.
Q How do I close my account?
To close your account, please sign in to your account, and click here.
- Mail : email@example.com
- Tel : 03-6450-4175