Updated on January 24, 2017
A bug bounty program is an initiative that rewards hackers with monetary payment for finding and reporting a system vulnerability* in a company’s web services or applications.
Each company determines the amount of bounty payment in advance based on the vulnerability level, and only pays for valid reports, making it a highly cost-effective way to improve security.
*Vulnerability is a potential security flaw in a computer or software caused by program flaws or design flaws.
We have announced our bug bounty programs through security media outlets both inside and outside of Japan, and invited security engineers and bug hunters from around the world to join.
Generally, the friendly hackers will send a report of their findings directly to the client company. Companies who require extra security analysis in relation to bug reports can use the "Triage Service" option to receive expert support from Sprout's security specialists.
The bug information reported is safely stored on Sprout’s servers, and is only made available to the security expert who reported the bug information, the client company, and Sprout's management team. All communication is encrypted with SSL.
It's free for both companies to use and friendly hackers to join. Companies only pay a bounty for valid bugs that have been found and reported. The minimum bounty is 5,000 Yen.
There are not restrictions on age or nationality. However, we are unable to pay bounties to anyone who resides in a country that is subject to economic sanctions imposed by the Japanese government (e.g. North Korea, Iran). With regard to minors, please see our "Terms of Service"
With regard to client companies, we can only provide service to those companies which are registered in Japan.
Yes, as long as you meet the required conditions as mentioned above.
No, we will accept reports in English and Japanese.
The client company must evaluate the bug report. To be eligible to receive bounty rewards, you must follow the conditions stipulated by the client company, and the reported bug must be recognized by the client company as a "valid bug", which can be reproduced and verified by the company.
Yes, we do. You can check the various bounty rewards available on the program information page. Program without bounty rewards have points rewards.
The ‘Hall of Fame’ rankings are based on the number of points the friendly hackers have received and are updated on a real-time basis.
To join our program, you need to register your email address. In order to receive payment for bounty rewards, you need to provide your real name, postal code, address, and account information.
All personal user information is kept private. However, in the event that we are legally obligated to disclose user information pursuant to an investigation or court order (under Japanese law), we may disclose the required user information after consulting with an attorney.
Sprout will make payments for valid rewards at the end of the month following the month that your report was validated. For example, a reward validated on June 2nd and a reward validated on June 28th would both be paid at the end of July. You can choose to receive the payment to standard bank accounts or PayPal.
You may lose your eligibility for receiving the payment of a bounty rewarded if you do not provide the bank information (full name, physical address and bank wire transfer details) to Sprout within 90 days of the day your reward was validated (the date your reported bug was recognized as a “valid bug” and eligible for rewarded bounty payment).
Yes, you are responsible for reporting/paying the applicable taxes for your region/country.
You can communicate with companies through the "Timeline" section of the Report page (messages can be written and posted from the comment box found near the bottom).
Yes, you will be notified of the reason the report was rejected. If you have a question or comment regarding the given explanation, you can contact the company through the Timeline.
In cases where multiple people have reported the same bug, the bounty reward will only be paid to the first person to report it.
No, only the person who reported the bug, the client company, and Sprout's management team have access to the reports.
No, disclosing any information you have found through this site to the public is prohibited. For more details, please see the "Terms of Service"
Please write reports in accordance with the report page format, provide the reproduction steps and describe the impact.
No, we only accept written reports filed through the Timeline.
To close your account, please sign in to your account, and click here.