CyberAgent, Inc./WINTICKET Bug Bounty Program

Overview

Public program

Rewards

Critical: ¥100,000 - ¥300,000

High: ¥30,000 - ¥100,000

Medium: ¥10,000 - ¥30,000

Low: ¥5,000 - ¥10,000

Informational: ¥0 - ¥5,000

In Scope

You can only submit a report targeted towards one of the following scopes:

Web Service https://www.winticket.jp

REST Api *.winticket.jp

iOS https://apps.apple.com/jp/app/id1455195128

Android https://play.google.com/store/apps/details?id=jp.winticket.app

Target versions: https://www.winticket.jp/support/about#:~:text=%E5%8F%AF%E8%83%BD%E3%81%A8%E3%81%AA%E3%82%8A%E3%81%BE%E3%81%99%E3%80%82-,%E6%8E%A8%E5%A5%A8%E7%92%B0%E5%A2%83,-OS

1. Program Terms

(1) Overview

The scope of our Bug Bounty Program is described in the "In Scope" section. Reports outside of that which is described in "In Scope" will be determined as "Out of Scope" and closed regardless of their content. You must read and agree to this program terms before finding and reporting a vulnerability.

(2) Program Eligibility

To be eligible to participate in our Bug Bounty Program, you must:

• Not be employed by us or any of its affiliates or an immediate family member of a person employed by us or any of its affiliates.
• Not be employed by us or any of its affiliates in the past.
• Not be a resident of, or make Submissions from, a country against which Japan has issued export sanctions or other trade restrictions.
• Able to communicate in Japanese or English.
• Agree to terms of use (https://issuehunt.jp/terms)

If (i) you do not meet the eligibility requirements above; (ii) you breach any of these Program Terms or any other agreements you have with us or its affiliates; or (iii) we determine that your participation in the Bug Bounty Program could adversely impact us, our affiliates or any of our users, employees or agents, we, in our sole discretion, may remove you from the Bug Bounty Program and disqualify you from receiving any benefit of the Bug Bounty Program.

(3) Program Rules

Do:

• Be patient & make a good faith effort to provide clarifications to any questions we may have about your report.
• Respect privacy & make a good faith effort not to access, process or destroy personal data.
• Be respectful when interacting with our team, and our team will do the same.
• Exercise caution when testing to avoid negative impact to customers and the services they depend on.
• Stop whenever unsure. If you think you may cause, or have caused, damage with testing a vulnerability, report your initial finding(s) and request authorization to continue testing.

Do NOT:

• Research outside of that outlined in "In Scope"
• Publicly disclose a Vulnerability without our explicit review and consent.
• Leave any system in a more vulnerable state than you found it.
• Submit a report by automated tools without additional analysis as to how they are an issue
• Brute force credentials or guess credentials to gain access to systems.
• Engage in any form of social engineering of our employees, customers, or partners.
• Engage or target any our employees, customers, or partners during your testing.
• Attempt to extract, download, or otherwise exfiltrate data that may have PII or other sensitive data other than your own.
• Do anything that would be considered a privacy violation, cause destruction of data, or interrupt or degrade our service.
• Interact with accounts you do not own.
• Do anything that is prohibited by the terms of use (https://issuehunt.jp/terms)

Out of Scope:

• Reports without an accompanying proof-of-concept demonstrating vulnerability.
• Vulnerabilities caused by brute force attacks against passwords or tokens.
• Trivial issues like inadequate email verification, password reset link expiration date or password complexity.
• Login/Logout CSRF.
• Missing CSRF tokens.
• CSRF of forms available to anonymous users like ones for Q&A or public survey.
• Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability.
• Vulnerabilities discovered from other domains than the specified target domains.
• Vulnerabilities caused by outdated platforms like a browser or an OS of a client.
• Vulnerabilities caused by autocompleting of a form.
• Missing secure flags for unimportant cookies.
• Insecure SSL/TLS ciphers.
• Vulnerabilities allowing enumeration of usernames and emails.
• Error messages like stack traces from client apps or server APIs.
• Server Banner Disclosure.
• Misconfiguration of SPF record, DKIM, and DMARC records.
• Invalid/Improper HTTP methods.
• Bugs and vulnerabilities in pre-release features
• Vulnerabilities originating from external services (outside the target domain)

2. Disclosure Policy and Confidentiality

Any data you receive, obtain access to or collect about us, our affiliates or any our customers, employees or agents in connection with the Bug Bounty Program is considered our confidential information ("Confidential Information").

Confidential Information must be kept confidential and only used: (i) to make the disclosure to us under the Bug Bounty Program; or (ii) to provide any additional information that may be required by us in relation to the submitted report. No further use or exploitation of Confidential Information is allowed. Upon our request, you will permanently erase all Confidential Information for any systems and devices.

You may not use, disclose or distribute any such Confidential Information, including without limitation any information regarding your Bug Bounty submitted report, without our prior explicit consent.

3. Legal

Any activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will make it known that your actions were conducted in compliance with this policy. We reserve all legal rights in the event of noncompliance with this policy.

We also reserve the right to modify the terms and conditions of this program, and your participation in the Program constitutes acceptance of all terms.

By making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission. By making a Submission, you give us the right to use your Submission for any purpose.

Please check this site regularly as we routinely update our program terms and eligibility, which are effective upon posting.

4. Submitting Reports

(1) Report Quality

High quality submissions allow our team to understand the issue better and engage the appropriate teams to fix. The best reports provide enough actionable information to verify and validate the issue without requiring any follow up questions for more information or clarification.

• Check the scope before you begin writing your report to ensure the issue you are reporting is in scope for the program.
• Think through the attack scenario and exploitability of the vulnerability and provide as many clear details as possible for our team to reproduce the issue
• Video or Image only report will not be considered.
• A vulnerability must be verifiable and reproducible for us to be considered In Scope.
• Submit one vulnerability per report unless otherwise required.

(2) Not Eligible for Reward

• If we have already received or are aware of a similar report, or if the report is outside of the scope, it is not eligible for the reward and will be closed regardless of its content.