SORACOM, Inc.
Bounty Range
$34 - $2,040
external program
You need to enable JavaScript to run this app.
https://issuehunt.io[https://issuehunt.io/lp/bugbounty](For Companies)[https://issuehunt.io](For Researchers)/programs/leaderboard [/signin](Sign In)[/signup](Sign Up)
Bug Bounty
Public program
[/signin](Sign In)
Overview
Activity
Disclosed
Hall of Fame
Soracom is a technology partner to over 20,000 startups and enterprises, connecting over 6 million IoT devices globally. Customers trust Soracom for affordable, reliable cellular connectivity that accelerates speed to market, makes it easy to build and scale IoT deployments, and offers access to a worldwide partner ecosystem. For more information, please visit soracom.io
株式会社ソラコムは、2015年から、IoTプラットフォーム「SORACOM」を提供しています。
通信の専門知識がなくてもコネクテッドな製品・サービスを開発しやすくするプラットフォームとして、多様なコネクティビティを一元的に管理・制御する技術をベースに、製造、エネルギー、インフラ、オートモーティブ、金融などの産業DXから、イノベーティブなスタートアップ、農業や防災など持続可能な地域社会を支える取り組みに至るまで世界中でご利用いただいています。
通信やIoTをもっと身近にご利用いただけるよう、コンシューマー向けeSIMサービス「Soracom Mobile」や、現場をラクにするクラウド型カメラサービス「ソラカメ」といった新規事業にも取り組んでいます。
より詳細な情報はこちらをご覧ください。
Informational:¥0 - ¥5,000
Low:¥5,000 - ¥10,000
Medium:¥10,000 - ¥30,000
High:¥30,000 - ¥100,000
Critical:¥100,000 - ¥300,000
You can only submit a report targeted towards one of the following scopes. REST Api, Web Service, Single Page Application https://g.api.soracom.io, https://api.soracom.io, https://jp.api.soracom.io, https://console.soracom.io, https://g-v3.lagoon.soracom.io/login, https://jp-v3.lagoon.soracom.io/login
Flex
Any
(日本語版は後半に記載しています。)
The Program will only accept Reports relating to the following services:
SORACOM API on Platform SORACOM
[https://developers.soracom.io/en/docs/tools/api-reference/](Soracom API Usage Guide)
[https://developers.soracom.io/en/api/](API Reference)
SORACOM User Console (https://console.soracom.io/ )
SORACOM Lagoon Console (https://g-v3.lagoon.soracom.io/login, https://jp-v3.lagoon.soracom.io/login )
The following items are considered out of scope:
Clickjacking on pages without sensitive actions
Open redirects, except when an additional security impact beyond simple redirection is demonstrated (e.g., reports citing only phishing risks are excluded)
Broken link hijacking, except when an additional security impact beyond simple redirection is demonstrated
Missing or misconfigured security headers without a provided practical attack vector (Proof of Concept, PoC)
Host header injection, unless a base-level risk is demonstrated
Improper TLS/SSL settings or expired certificates
Non-session cookies without HttpOnly or Secure flags set
CSRF vulnerabilities without sensitive actions
Low-security impact issues related to Cookie attributes or SSL/TLS settings
Misuse of HTTP methods
Tab-nabbing
Autocomplete enabled
Disclosure of software version information (unless an additional risk is demonstrated): Revealing server or application version details is excluded unless an additional clear security risk is proven.
Information gathering from error messages or server banner information
Incorrect setup of SPF records, DMARC, or DKIM (Lack of Email best practices)
Theoretical vulnerabilities without actual attack code provided
Vulnerabilities to brute force attacks
Absence of CSRF tokens or missing security headers
Lack of Cross-Site Request Forgery protection tokens or missing security headers (e.g., X-Content-Type-Options).
Vulnerabilities outside the target domain or issues stemming from outdated browsers/platforms
Self-XSS (Self-Cross-Site Scripting)
Issues predicated on man-in-the-middle attacks
Account takeover (squatting)
CSV (Comma Separated Values) injection without demonstrable vulnerability
Content spoofing or text injection without proven additional security risk
Inadequate email validation or password policy issues
Publishing API keys and bugs that do not impact security
Submitting reports from automated scanners or tools
Vulnerability reports after the official patch release will be judged individually for reward eligibility
Unlimited file upload without a clear security risk
Theoretical issues lacking practical severity
このプログラムは次のサービスに対するレポートのみ有効です。
プラットフォームSORACOM 上で利用される SORACOM API
[https://users.soracom.io/ja-jp/tools/api/](SORACOM API 利用ガイド)
[https://users.soracom.io/ja-jp/tools/api/reference/](SORACOM API リファレンス)
SORACOM User Console (https://console.soracom.io/ )
SORACOM Lagoon Console (https://g-v3.lagoon.soracom.io/login, https://jp-v3.lagoon.soracom.io/login )
以下に列挙した項目はスコープ対象外とします。
センシティブな操作を伴わないページのクリックジャッキング
オープンリダイレクト:単純なリダイレクトの悪用を超えるセキュリティ上の影響(例:トークン漏洩やXSS)が証明できる場合を除く(※フィッシング誘導のみを影響とする報告は対象外)
無効リンクのハイジャック:単純なリダイレクトの悪用を超えるセキュリティ上の影響が証明できる場合を除く
実用的な攻撃方法(PoC)が提供されていないセキュリティヘッダの欠如または誤設定
ホストヘッダのインジェクション:基点としたリスクが証明されない限り対象外
不適切なTLS/SSL設定や期限切れの証明書
HTTPOnlyやSecureフラグが設定されていない非セッションCookie
センシティブな操作を伴わないCSRF脆弱性
セキュリティ影響が低いCookieの属性やSSL/TLS設定の問題
不適切なHTTPメソッドの使用可能性
Tab-nabbing(タブナビング)が可能であること
自動補完(Autocomplete)が有効になっていること
実用的な攻撃方法(PoC)が提供されていない既知の脆弱性を含むライブラリ
ソフトウェアバージョン情報の公開(追加リスク未証明時):サーバーやアプリケーションのバージョン情報開示。追加のセキュリティリスクが明確に証明されない限り除外。
エラーメッセージからの情報収集やサーバーのバナー情報
SPFレコード、DMARC、DKIMの設定不備(Emailのベストプラクティスの欠如)
実際の攻撃コードが提供されていない、理論上の脆弱性
ブルートフォース攻撃の脆弱性
CSRFトークンの不在やセキュリティヘッダの欠如
Cross-Site Request Forgery対策トークンの不足や、セキュリティヘッダ(例:X-Content-Type-Options)の欠如。
対象ドメイン以外の脆弱性や古いブラウザ/プラットフォームに起因する問題
自己XSS(Self-XSS)
中間者攻撃が前提となる問題
アカウントの不正利用(スクワッティング)
脆弱性が証明されていないCSV(Comma Separated Values)インジェクション
追加のセキュリティリスクが証明されないコンテンツスプーフィングやテキストインジェクション
Eメールの検証不備やパスワードポリシーに関する問題
セキュリティに影響を与えないAPIキーの公開や不具合
自動化されたスキャナーやツールから生成された報告レポートを提出する行為または実際の影響が未確認の報告
公式パッチリリース後の脆弱性報告は、謝礼の支払い可否を個別に判断します
明確なセキュリティリスクを伴わない無制限のファイルアップロード
実用的な重大度に欠ける理論上の問題
English
Japanese
The terms and conditions for this program are shown below.
The scope of our Bug Bounty Program (the “Program”) is described in the "In Scope" section. We will not respond to reports that do not fall within the “In Scope”, regardless of their content (“Out of Scope”). In order to detect and report a vulnerability, you must have read and agreed to these terms and conditions of the Program (the “Terms”) in advance.
We reserve the right to modify these Terms at any time, and your participation in this Program will constitute acceptance of the amended Terms. Please check this webpage regularly as we routinely update the Terms, which are effective upon posting.
References to “we” or “Soracom” are to SORACOM, INC.
“Affiliate” means any entity directly or indirectly controlling us, or controlled by us. For the purpose of this definition, “control” means the power to manage or direct the affairs of the entity in question, whether by ownership of voting securities, by contract, or otherwise.
“Immediate Family Member” means persons including spouse, domestic partner, parent, legal guardian, legal ward, child, and sibling, and each of their respective spouses, and individuals living in the same household as such individuals.
“IssueHunt” means the bug bounty platform that we use for the operation of this Program and the entity that runs the platform.
“Relevant Parties” mean customers, employees, contractors, agents, suppliers, distributors and/or partners of Soracom or its Affiliates.
“Report” means any report, submission, comment, feedback or anything similar thereto regarding any vulnerabilities, exploitation techniques or any other security issues in our system.
To be eligible to participate in this Program, you must:
Be 14 years of age or older. If you are at least 14 years old but are considered a minor in your place of residence, you must obtain your parent's or legal guardian's permission prior to participating in this Program.
Be either an individual researcher participating in your own individual capacity, or working for an organization that permits you to participate. You are responsible for reviewing your employer's rules for participating in this Program.
Not be, and have not been in the past, employed by us or our Affiliates or be an Immediate Family Member of a person employed by us or our Affiliates.
Not be, and have not been in the past, engaged in any work for the development of our products and services or relating to the operations of our business, including those of our Affiliates.
Not be a resident of, or make your submission from, a country against which Japan, the United States or the United Kingdom have issued export sanctions or other trade restrictions.
Not be an entity or person subject to trade or economic sanctions or restrictions by Japan, the United States or the United Kingdom.
Be able to communicate in Japanese or English.
Agree to IssueHunt’s terms of use ( https://issuehunt.jp/terms )
If (i) you do not meet the eligibility requirements above; (ii) you breach any of the Terms or any other agreements you have with Soracom or its Affiliates; or (iii) we determine that your participation in this Program could adversely impact us, our Affiliates or any of the Relevant Parties, we, in our sole discretion, may remove you from this Program and disqualify you from receiving any benefit of this Program.
Do:
Be respectful when interacting with our team, and our team will do the same.
Be patient and make a good faith effort to provide clarifications to any questions we may have about your Report.
Exercise extra caution when testing our system in order to avoid any negative impact to Soracom, its Affiliates, any Relevant Parties, and our services.
Stop testing immediately if you suspect that you might cause, or have caused, damage by testing a vulnerability in our system, and report your initial finding(s) to us. To resume testing, you must request our authorization in writing.
Do NOT:
Submit a Report using automated tools without undergoing an additional analysis as to why and how it is a security issue.
Test, research or analyze our system which is Out of Scope.
Disclose, in whole or in part, a Report or vulnerability to any third party without our explicit review and prior written consent.
Engage in any form of social engineering of the Relevant Parties.
Conduct investigations that may adversely affect us, our Affiliates, or the Relevant Parties, including but not limited to, spamming, denial-of-service attacks, transmitting viruses, and any form of physical or electronic attacks against assets or data centers owned or used by us, our Affiliates, or the Relevant Parties.
Expose our system to more vulnerabilities or put our system in a more vulnerable state than when the issue was detected.
Brute force or guess credentials to gain access to our systems.
Attempt to extract, download, or otherwise exfiltrate data that may contain personal information or any other sensitive information not lawfully owned by you.
Act in a manner that would be considered a privacy violation, cause destruction or deterioration of data, or interrupt or degrade any products and services of Soracom, our Affiliates, or the Relevant Parties.
Interact with any customer accounts for our services that you do not own.
Breach or violate any applicable laws, regulations, court orders, enforceable governmental requests, and similar legal requirements.
Take any action that is prohibited by the IssueHunt’s terms of use( https://issuehunt.jp/terms )
Cause any third party to perform any of the above prohibited acts.
Any data and information you receive, obtain, gain access to or collect about us, our Affiliates or any of the Relevant Parties in connection with this Program is considered our confidential information ("Confidential Information").
You may not disclose or distribute any Confidential Information, including without limitation any information regarding the Report you created or submitted, without our prior written consent.
You may not use any Confidential Information for any purpose other than those listed below:
(i) to make the disclosure to us under this Program; or
(ii) to provide any additional information that may be required by us in relation to the submitted Report.
Immediately after being notified by us that the verification of the Report has been completed or for any other reason closed, you will permanently erase all Confidential Information you received or obtained.
If we determine, in our sole discretion, that you have complied in all respects with the Terms, we will not initiate a complaint to law enforcement or pursue a civil action against you for your activities. If legal action is initiated by a third party against you in connection with your activities, which we determine complies in all respects with the Terms, we will make it known that your activities in question were conducted in compliance with the Terms. For the avoidance of doubt, however, we will not be obligated to defend you against any such third party claims. We reserve all legal rights and remedies in the event of your noncompliance with the Terms.
Reports of a high quality are those which allow our team to better understand and respond appropriately to the issue. The Reports should provide enough actionable information for us to verify and validate the issue without requiring any follow up questions or requests for more information.
Guidelines for producing a high quality Report:
Before you begin writing your Report, confirm whether the issue you are reporting is ‘In Scope’.
Think through the attack scenario and exploitability of the vulnerability and provide as many clear details as possible for our team to reproduce the issue.
Reports consisting solely of images or videos will be regarded as Out of Scope.
A vulnerability must be verifiable and reproducible by us to be considered In Scope.
Submit one vulnerability per Report unless otherwise instructed by us.
By submitting any Report to us, you:
grant us and our Affiliates the following non-exclusive, irrevocable, perpetual, royalty free, worldwide, sub-licensable license to the intellectual property in your Report: (i) to use, review, assess, test, and otherwise analyze your Report; (ii) to reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of your Report and all its content, in whole or in part; and (iii) to feature your Report and all of its content in connection with the marketing, sale, or promotion of this Program or other programs (including internal and external sales meetings, conference presentations, trade shows, press releases etc.) in all media (now known or later developed);
agree to sign any documentation that may be required for us, our Affiliates or our designees to confirm the rights you granted above;
understand and acknowledge that we or our Affiliates may have developed or commissioned materials similar or identical to your Report, and you waive any claims you may have resulting from any similarities to your Report;
understand that you are not guaranteed any compensation or credit for use of your Report; and
represent and warrant that your Report is your own work, that you have not used information owned by another person or entity, and that you have the legal right to provide the Report to us and our Affiliates.
We retain sole discretion in determining whether a Report qualifies for a reward under the Program, and the amount of the reward to be paid for the Report. The decisions made by us regarding rewards are final and binding.
If we have determined that you are eligible for a reward under the Terms, we will notify IssueHunt of the reward amount and then IssueHunt will provide you with the information necessary to process your payment. You may waive the payment if you do not wish to receive a reward.
If there is a dispute as to who the reporter is, we will consider the authorized account holder of the email address, that was used to enter the Program, to be the qualified reporter.
The reward will be paid by IssueHunt to you.
SORACOM AND OUR AFFILIATES MAKE NO WARRANTIES, EXPRESS OR IMPLIED, GUARANTEES OR CONDITIONS WITH RESPECT TO THE PROGRAM. YOU UNDERSTAND THAT YOUR PARTICIPATION IN THE PROGRAM IS AT YOUR OWN RISK. TO THE EXTENT PERMITTED BY LAW, WE EXCLUDE ANY IMPLIED WARRANTIES IN CONNECTION WITH THE PROGRAM. YOU MAY HAVE CERTAIN RIGHTS UNDER YOUR LOCAL LAW. NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS, IF THEY ARE APPLICABLE.
If you have any basis for recovering damages in connection with the Program (including breach of the Terms), you agree that your exclusive remedy is to recover, from us or any of our Affiliates, direct damages up to USD100. You can not recover any other damages or losses, including direct, consequential, lost profits, special, indirect, incidental, or punitive. These limitations and exclusions apply even if this remedy doesn't fully compensate you for any losses or fails of its essential purpose or if we knew or should have known about the possibility of the damages. To the maximum extent permitted by law, these limitations and exclusions apply to anything or any claims related to the Terms and the Program.
You will defend, indemnify, and hold harmless us, our Affiliates and the Relevant Parties, from and against any claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising out of or relating to your breach of the Terms.
You may not assign or otherwise transfer any rights, obligations and duties you may have under the Terms without our prior written consent. Any assignment or transfer without such consent will be null and void.
Soracom may assign and transfer rights, obligations and duties under the Terms without your consent (i) in connection with a merger, acquisition or sale of all or part of Soracom’s assets, or (ii) to any of Soracom’s Affiliate or as part of a corporate reorganization; and effective upon such assignment or transfer, the assignee/transferee is deemed substituted for Soracom as a party to the Terms and the Program, and Soracom is fully released from all of its obligations and duties to perform under the Terms. Subject to the foregoing, the Terms will be binding upon, and inure to the benefit of the parties and their respective permitted successors and assigns.
All disputes, controversies or differences arising out of or in connection with the Program and the Terms shall be finally settled by arbitration in accordance with the Commercial Arbitration Rules of The Japan Commercial Arbitration Association. The place of the arbitration shall be Tokyo, Japan. The arbitral proceedings shall be conducted in Japanese.
The formation, validity, interpretation, and performance of the Terms and the Program will be governed by the laws of Japan.