Service introduction for companies and organizations

Sign up here


BugBounty Outline

It is a system to have external hackers investigate on the company's Web services or applications' “system vulnerabilities”. If a problem is identified, it will be reported, and a reward is paid for identifying the problem. Companies can determine the amount of the reword in advance depending on the vulnerability levels. Rewards are given only on reports which has technical evidence, so this is a great system for companies to improve their securities with low cost.

Flow of BugBounty program

6 Features

BugBounty.jp has 6 exclusive features which has not been seen in other conventional security systems.

  1. 01

    Protect from the
    latest attack methods

    New vulnerabilities are detected everyday on the softwares used by many companies. BugBounty program is the best way to identify the vulnerabilities that you couldn't find in the previous security assessments.

  2. 02

    Test with the
    “view of attacker”

    Complication of the systems and networks make attack methods more diverse. It is very beneficial to ask various type of hackers to test with the “view of attacker” to understand your companies security level.

  3. 03

    High cost

    You don't need to pay initial fee. It is a pure performance based reward system which covers only reports having technical evidence, so that you can improve the security with high cost performance.

  4. 04

    The PR effect

    Participating in the BugBounty program itself can be one of an effective way of promotion that shows companies or organizations focus on measures for securities.

  5. 05

    Verification support
    for vulnerabilities

    We provide “Triage Support” to determine the risk level and priority when judged to be vulnerable by substituting for reproducibility confirmation of the reported vulnerability.

  6. 06

    Many Japanese
    hackers are registered

    Many Japanese hackers have already registered to Japan's first bug bounty program platform “BugBounty.jp”. You can get reports or have communication from Japanese hackers in Japanese.

Program Type

We provide 2 types of the program you can choose depending on your purpose.

Public program

You can open your program to all the registered hackers from all over the world. You can expect more vulnerabilities to be identified by checks from numerous hackers with various skill sets.

Private program

You can limit to open the program for some specific hackers. For example, you can open it to hackers who have already reported about vulnerabilities before or those who are Japanese. It will be useful when you are worried to conduct it in the open system.


About Fee

Basic Fee


(20% of the reward accrued)

Option Fee

  • Pre-Assessment¥300,000 for 3days
  • Full Triage SupportIn cases that the reward is given for a report submitted within full triage time period, 30% of the reward will be charged.
  • Triage Support¥15,000 for each
Check for the details

You can operate it according to your budget.


About Full Support

BugBounty.jp is a platform operated by a security professional team. Expert staffs who have innovative knowledge will support you according to your circumstances.

  • 01

    Pre Vulnerability Assessment

    We recommend a pre vulnerability assessment to you in case you have concerns such as “Long time has passed since previous assessment”or “A lot of vulnerabilities might be reported in BugBounty program”.

    What is pre vulnerability assessment?

    It will be an security assessment to simply clarify the risks before starting the bug bounty program. Basically it will be conducted for 3 days, and we will report on which vulnerabilities the application have and where it will be identified. Actually, it is only an assessment to analyze the trend, so it is different from general assessments which are conducted exhaustively. BugBounty program will start after you recheck the subject referencing to the issued report.

    Procedure of Application

    Please apply from “create new program”. Our staff in charge of pre vulnerability assessment will contact you.


    ¥300,000 for 3days

    • Basically we accept from 3 days.
    • In case of large scale system, it is possible to conduct for more than 3 days.
  • 02

    Triage Support

    What is triage support?

    Triage is a term for considering risk level or priority of the vulnerability reported and selecting.

    We will perform followings related to triage on your behalf.

    • ・reproductive check
    • ・providing a detailed report (judgement of risk level)
    • ・communication with resarchers

    Flow of Application

    When you need any support, please request from detail page of each report. We offer Full Triage Support for those who want daily supports.


    • Triage Support¥15,000 for each
    • Full Triage SupportIn cases that the reward is given for a report submitted
      within the full triage time period, 30% of the reward will be charged.


Use Procedure

Every company whether domestic or foreign which provide services, applications and hardware (network devices and IoT etc.) related to the internet can apply the service.

Examples of Rewards

In this platform, we recommend each participating company to judge the risk and calculate the reward based on CVSS v3. Examples of the rewards are the followings.

Examples of BugBounty.jp (Sprout Inc.)

  • Command Injection


  • SQL Injection


  • Cross-site Scripting


  • Rate Limit


  • Cross-site Request Forgeries


  • What is CVSS?

    CVSS (Common Vulnerability Scoring System) is a opend and general scoring method for vulnerabilities in information systems, and it provides common scoring method which does not rely on venders. By using CVSS you can compare the severity levels quantitatively under the same standard. For further information, please refer to the link.

    Explanation by IPA (external site)