Genians Bug Bounty Program
Genians is a security software company that provides solutions from internal enterprise security platforms to individual endpoint device security.
Program Introduction
The Genians Bug Bounty Program seeks to make products safer by quickly identifying the security of products and services with the help of security experts and rewarding security experts for their efforts.
Program Scope
Vulnerabilities in the following products and services are subject to reporting. (Reports other than the target are not eligible for rewards.)
- NAC product: Genian NAC V4.* or above
- Cloud NAC CSM service: https://my.genians.com
- Genian Device Platform Intelligence API(GDPI): https://pi-api.genians.com/pi/v1/apidocs/
- Genians company website, etc.
Note) Vulnerabilities outside of Genians products and services are not eligible for evaluation and rewards due to concerns of facilitating illegal hacking and lack of verification under the relevant law. However, this is only possible if Genians explicitly allows it to discover vulnerabilities in the service.
Notes for Reporting
The report should include the following:
- Vulnerable SW version
- Vulnerability discovery method (Fuzzing, Manual auditing, etc.)
- Vulnerability summary and detailed description (including the environment in which the vulnerability occurs and attack scenario)
- Proof-of-Concept code
- Security threats due to the vulnerability
- Possible expect causes and countermeasures
You may be excluded from report review and reward payment in the following cases:
- Reports that are too vague or unclear
- Reports containing vulnerabilities already recognized by the bug bounty response team
Precautions When Registering as a CSM
When registering as a CSM, you must use the bug bounty-only membership registration page.
If you report a vulnerability after registering as a general CSM, you may be excluded from the reward.
Registration for bug bounty-only membership: https://my.genians.com/register/?registertype=bugbounty
Rewards
We will evaluate the impact and difficulty of the attack based on the International Standard for the Evaluation of Security Vulnerabilities (CVSS 3.1), taking into account the prevalence of affected systems and the level of vulnerability discovery.
| Severity | Bounty Range |
|---|
| Critical | 540만원 - 900만원 |
| High | 252만원 - 360만원 |
| Medium | 72만원 - 180만원 |
| Low | 24만원 - 48만원 |
| None | N/A |
본 프로그램을 통해 유효한 취약점을 제보하신 분에게는 다음과 같은 기준으로 보상이 이루어집니다.
난이도별 보상의 척도는 취약점 분류별 위험도 범위와 CWSS(Common Weakness Scoring System)를 기준으로 하지만, 평가자의 판단에 따라 최종 결정됩니다.
Notes About the Reward
- If multiple reports are received for the same vulnerability, the first person to provide a clear report will be rewarded.
- If the vulnerability is rated High or higher, you will be required to perform a remediation check, and the reward will be paid after the vulnerability is patched and the remediation check is completed.
- In some cases, if we determine that it will take a long time for the vulnerability to be patched, we may pay the reward first and request a follow-up inspection later.
For more information on vulnerability rewards, please refer to the Genians Vulnerability Disclosure Program Policy
Limitations and Vulnerabilities Disclosure Policy
- Do not disclose detailed information about reported vulnerabilities to third parties until they are fixed and updated by most users (customers). However, if Genians permits it in writing, etc., it may disclose vulnerabilities.
- Please refrain from doing anything that may harm other users.
- Employees of Genians and its affiliates are not allowed to participate in this program.
Response Plan
- First response: 3일
- Triage: 30일 ~ 60일
- Resolution: 취약점에 따라 상이
- Bounty: 신청서 접수 월 익월 말일 (30, 31일)
Ineligible for Reward
You are not eligible for the reward in the following cases:
- No proof of vulnerability, just a possibility
- Product is not the latest patched version
- The vulnerability you reported is not reproduced at the time of submitting report
- Vulnerability was reported by other reporter
- Vulnerability that have already been reported to other bug bounty services, etc.
- Even if the vulnerability is reproduced, there is awareness of the vulnerability within Genians or Theori. In this case, we will provide the reporter with an explanation of the internal discovery and timeline upon request.
- If the damage is very minimal or the attacker does not need to use the vulnerability to exploit it.
- Sensitive information was obtained through unnecessary actions other than demonstrating the vulnerability.
- The attack requires excessive user intervention or interaction, or prerequisites that make the attack highly unlikely to be realized.
- Social engineering hacking
- Assuming that secret keys, etc. have been compromised
- Unrealistic scenarios
- Other cases not normally recognized in bug bounty
- Other cases that are excluded from reporting vulnerabilities in the Genians Vulnerability Disclosure Program Policy
