BugBounty.jp

FAQ

Service introduction for companies and organizations

Sign up here

Outline

BugBounty Outline

It is a system to have external hackers investigate on the company's Web services or applications' “system vulnerabilities”. If a problem is identified, it will be reported, and a reward is paid for identifying the problem. Companies can determine the amount of the reword in advance depending on the vulnerability levels. Rewards are given only on reports which has technical evidence, so this is a great system for companies to improve their securities with low cost.

Flow of BugBounty program

6 Features

BugBounty.jp has 6 exclusive features which has not been seen in other conventional security systems.

  1. 01

    Protect from the
    latest attack methods

    New vulnerabilities are detected everyday on the softwares used by many companies. BugBounty program is the best way to identify the vulnerabilities that you couldn't find in the previous security assessments.

  2. 02

    Test with the
    “view of attacker”

    Complication of the systems and networks make attack methods more diverse. It is very beneficial to ask various type of hackers to test with the “view of attacker” to understand your companies security level.

  3. 03

    High cost
    performance

    You don't need to pay initial fee. It is a pure performance based reward system which covers only reports having technical evidence, so that you can improve the security with high cost performance.

  4. 04

    The PR effect

    Participating in the BugBounty program itself can be one of an effective way of promotion that shows companies or organizations focus on measures for securities.

  5. 05

    Verification support
    for vulnerabilities

    We provide “Triage Support” to determine the risk level and priority when judged to be vulnerable by substituting for reproducibility confirmation of the reported vulnerability.

  6. 06

    Many Japanese
    hackers are registered

    Many Japanese hackers have already registered to Japan's first bug bounty program platform “BugBounty.jp”. You can get reports or have communication from Japanese hackers in Japanese.

Program Type

We provide 2 types of the program you can choose depending on your purpose.

Public program

You can open your program to all the registered hackers from all over the world. You can expect more vulnerabilities to be identified by checks from numerous hackers with various skill sets.

Private program

You can limit to open the program for some specific hackers. For example, you can open it to hackers who have already reported about vulnerabilities before or those who are Japanese. It will be useful when you are worried to conduct it in the open system.

Expens

About Fee

Basic charge

Triage support fee Bounty System usage fee

    Triage support costs

    ▼Full triage support

    • 2weeks

      ¥330,000 (tax included)

    • 1month

      ¥616,000 (tax included)

    • 3months

      ¥1,780,000 (tax included)

    ▼Individual triage support

    • 1report

      ¥55,000 (tax included)

    Bounty

  • Amount to pay to white hackers

    System usage fee

  • 20% of bounty

  • If no full triage support is requested,
    a separate platform usage fee of 110,000 yen will be charged.

Support

About Full Support

BugBounty.jp is a platform operated by a security professional team. Expert staffs who have innovative knowledge will support you according to your circumstances.

  • Triage support

    What is triage support?

    Sprout's diagnostic team validates the reports submitted by white hackers.
    Triage Support will specifically carry out the following work.


    ・ Reproduction verification of the reported report
    ・ Providing an original evaluation report summarizing the verification results
    ・ Verification of reported vulnerabilities
    ・ Q & A with white hackers regarding reports

    Note:
    It is up to the company to judge the evaluation of the report submitted by the white hacker.

    Types of triage support

    There are two types of triage support.

    • Full triage support diagnostic team handles all reports reported during the contract period.
    • Individual triage supportSprout's diagnostic team only responds to reports requested by companies.

    How to apply for triage support

    • FullTriage Support Please select to use Full Triage Support when registering for the program.
    • Individual triage support Please use it when a white hacker reports a vulnerability.

Process

Use Procedure

Every company whether domestic or foreign which provide services, applications and hardware (network devices and IoT etc.) related to the internet can apply the service.

Examples of Rewards

In this platform, we recommend each participating company to judge the risk and calculate the reward based on CVSS v3. Examples of the rewards are the followings.

Examples of BugBounty.jp (Sprout Inc.)

  • Command Injection

    ¥264,000

  • SQL Injection

    ¥228,000

  • Cross-site Scripting

    ¥54,000

  • Rate Limit

    ¥19,000

  • Cross-site Request Forgeries

    ¥18,000

  • What is CVSS?

    CVSS (Common Vulnerability Scoring System) is a opend and general scoring method for vulnerabilities in information systems, and it provides common scoring method which does not rely on venders. By using CVSS you can compare the severity levels quantitatively under the same standard. For further information, please refer to the link.

    Explanation by IPA (external site)