BugBounty.jp - バグバウンティ・プラットフォーム

Total Reports：540
Total Valid Reports：78

Opened

Chatwork

Program

Chatwork
chat application

Program Logo

Period

2021/01/01 〜 2021/12/31

Bounty Range

¥1,000 ～ ¥100,000

Rules

Only test for vulnerabilities on application stipulated in scope section. Any vulnerabilities reported on applications out-of-scope are not eligible for bounty rewards.

**************************************
This is a production environment. Do not create account more than necessary to perform tests, and please delete your account as soon as you finished your tests.
Please note that you should only perform tests against account you created, never other users account.
To be eligible for a bounty reward under this program you must to follow the rules stipulated above.
**************************************

Any vulnerability test against domains out-of-scope are explicitly prohibited.

Any violation on the Terms of Service of the “BugBounty.jp” and/or performance of DoS (Denial of Service) attack or equivalent act that can degrade the performance of our service are also explicitly prohibited.

Scope

Web application

Name

Chatwork アプリケーション

URL

https://www.chatwork.com/
https://go.chatwork.com/

Domain

www.chatwork.com
go.chatwork.com
appdata.chatwork.com
assets.chatwork.com
front.chatwork.com

iOS application

Name

Chatwork

URL

https://itunes.apple.com/jp/app/id463672966

Domain

www.chatwork.com

Android application

Name

Chatwork

URL

https://play.google.com/store/apps/details?id=jp.ecstudio.chatworkandroid

Domain

www.chatwork.com

Eligible For Bounty: Authentication　up to 50,000yen
Command Injection　up to 50,000yen
Cross-Site Request Forgery (CSRF)　up to 50,000yen
Remote Code Execution　up to 50,000yen
SQL Injection　up to 50,000yen
Server-Side Request Forgery (SSRF)　up to 47,000yen
Cross-Site Scripting　up to 40,000yen
other　up to 30,000yen
Path Traversal　up to 13,000yen
Privilege Escalation　up to 11,000yen
HTTP Response Splitting　up to 11,000yen
Forced Browsing　up to 11,000yen
Cleartext Transmission of Sensitive Information　up to 11,000yen
Information Disclosure　up to 5,000yen
Open Redirect　up to 5,000yen
Session Fixation　up to 5,000yen
Not Eligible For Bounty: Vulnerabilities found through automated scans or tools
Hypothetical or theoretical vulnerabilities without actual verification code
Vulnerabilities with capability of Denial of Service attack
Vulnerabilities with capability of brute force against password or tokens
Password, email and account policies, such as email id verification, reset link expiration, password complexity
Login/Logout CSRF
Vulnerabilities affecting outdated browsers or platforms
Presence of autocomplete attribute on web forms
Missing secure flags on non-sensitive cookies
Reports of insecure SSL/TLS ciphers
Vulnerabilities with capability of username/email enumeration
Descriptive error messages (e.g. Stack traces, application or server errors)
Banner disclosure on servers
Misconfiguration of SPF record, DMARC and DKIM
Invalid HTTP method
被害者の端末を直接操作する必要がある脆弱性
https://en.wikipedia.org/wiki/Tabnabbing (主要なウェブサービスが未対策のため)
Host HeaderによるOpen Redirectの脆弱性
Self XSS
API Rate Limitに関する脆弱性
Notes: For eligibility details, please refer to the "Terms of Service Article 4" of this site.