Service introduction for companies and organizations
It is a system to have external hackers investigate on the company's Web services or applications' “system vulnerabilities”. If a problem is identified, it will be reported, and a reward is paid for identifying the problem. Companies can determine the amount of the reword in advance depending on the vulnerability levels. Rewards are given only on reports which has technical evidence, so this is a great system for companies to improve their securities with low cost.
Flow of BugBounty program
BugBounty.jp has 6 exclusive features which has not been seen in other conventional security systems.
Protect from the
latest attack methods
New vulnerabilities are detected everyday on the softwares used by many companies. BugBounty program is the best way to identify the vulnerabilities that you couldn't find in the previous security assessments.
Test with the
“view of attacker”
Complication of the systems and networks make attack methods more diverse. It is very beneficial to ask various type of hackers to test with the “view of attacker” to understand your companies security level.
You don't need to pay initial fee. It is a pure performance based reward system which covers only reports having technical evidence, so that you can improve the security with high cost performance.
The PR effect
Participating in the BugBounty program itself can be one of an effective way of promotion that shows companies or organizations focus on measures for securities.
We provide “Triage Support” to determine the risk level and priority when judged to be vulnerable by substituting for reproducibility confirmation of the reported vulnerability.
hackers are registered
Many Japanese hackers have already registered to Japan's first bug bounty program platform “BugBounty.jp”. You can get reports or have communication from Japanese hackers in Japanese.
We provide 2 types of the program you can choose depending on your purpose.
You can open your program to all the registered hackers from all over the world. You can expect more vulnerabilities to be identified by checks from numerous hackers with various skill sets.
You can limit to open the program for some specific hackers. For example, you can open it to hackers who have already reported about vulnerabilities before or those who are Japanese. It will be useful when you are worried to conduct it in the open system.
Triage support fee＋ Bounty＋ System usage fee
¥330,000 (tax included)
¥616,000 (tax included)
¥1,780,000 (tax included)
Triage support costs
▼Full triage support
¥55,000 (tax included)
▼Individual triage support
- Amount to pay to white hackers
20% of bounty
If no full triage support is requested,
a separate platform usage fee of 110,000 yen will be charged.
System usage fee
About Full Support
BugBounty.jp is a platform operated by a security professional team. Expert staffs who have innovative knowledge will support you according to your circumstances.
What is triage support?
Sprout's diagnostic team validates the reports submitted by white hackers.・ Reproduction verification of the reported report ・ Providing an original evaluation report summarizing the verification results ・ Verification of reported vulnerabilities ・ Q & A with white hackers regarding reports
Triage Support will specifically carry out the following work.
Note: It is up to the company to judge the evaluation of the report submitted by the white hacker.
Types of triage support
There are two types of triage support.
- Full triage support diagnostic team handles all reports reported during the contract period.
- Individual triage supportSprout's diagnostic team only responds to reports requested by companies.
How to apply for triage support
- FullTriage Support Please select to use Full Triage Support when registering for the program.
- Individual triage support Please use it when a white hacker reports a vulnerability.
Every company whether domestic or foreign which provide services, applications and hardware (network devices and IoT etc.) related to the internet can apply the service.
Examples of Rewards
In this platform, we recommend each participating company to judge the risk and calculate the reward based on CVSS v3. Examples of the rewards are the followings.
Examples of BugBounty.jp (Sprout Inc.)
Cross-site Request Forgeries
What is CVSS?
CVSS (Common Vulnerability Scoring System) is a opend and general scoring method for vulnerabilities in information systems, and it provides common scoring method which does not rely on venders. By using CVSS you can compare the severity levels quantitatively under the same standard. For further information, please refer to the link.Explanation by IPA (external site)