Total Valid Reports：0
Online household account book service
- Program Logo
- 2019/05/27 〜 2020/05/31
- Bounty Range
- ¥1,000 ～ ¥132,000
- Only test for vulnerabilities on application stipulated in scope section. Any vulnerabilities reported on applications out-of-scope are not eligible for bounty rewards.
This is a production environment. Please note the following things:
- Do not create account more than necessary to perform tests, and please delete your account as soon as you finished your tests.
- Repetitive processing with tools are prohibited.
To be eligible for a bounty reward under this program you must to follow the rules stipulated above.
Any vulnerability test against domains out-of-scope are explicitly prohibited.
Any violation on the Terms of Service of the “BugBounty.jp” and/or performance of DoS (Denial of Service) attack or equivalent act that can degrade the performance of our service are also explicitly prohibited.
- Web application
- Zaim（Corporate website）
- iOS application
- Android application
- Cross-Site Request Forgery (CSRF) up to 132,000yen
- Remote Code Execution up to 132,000yen
- Authentication up to 122,000yen
- SQL Injection up to 114,000yen
- Command Injection up to 50,000yen
- Cross-Site Scripting up to 27,000yen
- Privilege Escalation up to 27,000yen
- Forced Browsing up to 27,000yen
- Open Redirect up to 12,000yen
- Information Disclosure up to 11,000yen
- other up to 5,000yen
- Not Eligible
- Vulnerabilities found through automated scans or tools
- Hypothetical or theoretical vulnerabilities without actual verification code
- Vulnerabilities with capability of Denial of Service attack
- Vulnerabilities with capability of brute force against password or tokens
- Password, email and account policies, such as email id verification, reset link expiration, password complexity
- Login/Logout CSRF
- Missing CSRF tokens
- CSRF on forms that are available to anonymous users (e.g. contact form)
- Missing security headers
- Vulnerabilities found in domains out-of-scope
- Vulnerabilities affecting outdated browsers or platforms
- Presence of autocomplete attribute on web forms
- Missing secure flags on non-sensitive cookies
- Reports of insecure SSL/TLS ciphers
- Vulnerabilities with capability of username/email enumeration
- Descriptive error messages (e.g. Stack traces, application or server errors)
- Banner disclosure on servers
- Misconfiguration of SPF record, DMARC and DKIM
- Invalid HTTP method
- For eligibility details, please refer to the "Terms of Service Article 4" of this site.