Ethical Hacker User Terms of Service
English Version (For Convenience)
Section titled “English Version (For Convenience)”Article 1 (Application)
Section titled “Article 1 (Application)”- These Terms apply to all relationships concerning the use of the BBHunt Japan platform (the “Service”) as an ethical hacker user (as defined in Article 2) provided by BBHunt Japan K.K. (the “Company”).
- An ethical hacker user shall be deemed to have agreed to these Terms upon commencing use of the Service.
- Rules and other provisions posted by the Company on the Service from time to time shall constitute part of these Terms.
Article 2 (Definitions)
Section titled “Article 2 (Definitions)”- “Service” means the bug bounty platform operated by the Company, which provides a platform for organizations (“Clients”) to request vulnerability assessments of their services and for security researchers to discover and report vulnerabilities.
- “Ethical Hacker User” (hereinafter referred to as “Hacker”) means a registered user who conducts vulnerability assessments and reports on Client services through the Service, including all ethical hackers, cybersecurity experts, security researchers, and other registered users.
- “Vulnerability Information” means information regarding vulnerabilities discovered by a Hacker and reported through the Service.
- “Reward” means compensation paid by a Client to a Hacker for vulnerability reports.
- “Program” means the vulnerability assessment request details, scope, reward amounts, and other information published by Clients on the Service.
Article 3 (Registration)
Section titled “Article 3 (Registration)”- Any person wishing to use the Service as a Hacker (“Applicant”) may apply for registration by agreeing to these Terms and providing information designated by the Company in the manner prescribed by the Company.
- Registration as a Hacker requires meeting the following conditions: (1) Being at least 18 years of age (2) Not being a resident of, or accessing the Service from, a country against which Japan has issued export sanctions or other trade restrictions (3) Being able to communicate in Japanese or English (4) Not being an employee of the Company (including former employees). Additionally, when participating in each program, not being an employee of the Client of that program (including former employees) (5) Not being an organized crime group or equivalent (boryokudan) (6) Completing identity verification as set forth in Article 4
- The Company may refuse registration if the Applicant does not meet the above conditions or falls under any of the following: (1) The Company determines there is a risk of violation of these Terms (2) False, erroneous, or omitted information was provided (3) The Applicant previously had registration cancelled (4) The Company otherwise determines registration is inappropriate
Article 4 (Identity Verification - KYC)
Section titled “Article 4 (Identity Verification - KYC)”- Hackers are required to complete the Company’s prescribed Know Your Customer (“KYC”) process to use the Service.
- The KYC process includes providing the following information: (1) Identity verification documents (passport, driver’s license, or other government-issued identification accepted by the Company) (2) Proof of address (utility bills, bank statements, etc.) (3) Other information designated by the Company
- The Company may refuse or cancel a Hacker’s registration if the KYC process cannot verify the Hacker’s identity or if false information is provided.
- Hackers shall promptly notify the Company of any changes to the information provided during the KYC process and provide updated information.
- The Company will not use personal information collected during the KYC process for purposes other than identity verification.
Article 5 (Payment Accounts)
Section titled “Article 5 (Payment Accounts)”- To receive Rewards, Hackers must register a valid PayPal account and complete the Company’s verification.
- Hackers shall provide accurate payment account information (PayPal account, etc.) and shall not provide false information.
- Hackers shall promptly notify the Company of any changes to payment account information and provide updated information.
- The Company may withhold Reward payments to Hackers whose payment account verification has not been completed.
- The Company may introduce other payment methods in the future in addition to PayPal.
Article 6 (Account Management)
Section titled “Article 6 (Account Management)”- Hackers shall manage their account information at their own responsibility and shall not allow third parties to use, lend, transfer, or sell their accounts.
- Hackers shall be liable for damages arising from inadequate management or third-party use of account information, and the Company shall bear no responsibility.
- If a Hacker discovers that their account information has been stolen or is being used by a third party, they must immediately notify the Company.
Article 7 (Program Participation)
Section titled “Article 7 (Program Participation)”- Hackers may participate in programs published on the Service and conduct vulnerability assessments within the scope of such programs.
- Before participating in a program, Hackers must review and agree to the program’s terms, scope, and reward amounts.
- Hackers shall not conduct investigations outside the scope of programs.
Article 8 (Reporting Obligations and Quality)
Section titled “Article 8 (Reporting Obligations and Quality)”- Hackers shall report discovered vulnerabilities through the Company’s prescribed reporting form.
- Reports must meet the following quality standards: (1) Clear reproduction steps for the vulnerability (2) Description of the vulnerability’s impact and severity (3) Textual explanation (not video or images only) (4) One vulnerability per report
- Hackers shall respond in good faith to questions from the Company or Clients.
Article 9 (Rewards)
Section titled “Article 9 (Rewards)”- When a Client receives a Hacker’s report and decides to pay a reward, the Hacker will be notified through the method prescribed by the Company.
- Upon the Client’s completion of the reward award process and payment of the PayPal invoice, the Company shall pay the Reward to the Hacker via PayPal.
- Clients pay a Reward Fee to the Company for handling Reward payments to Hackers. The Reward Fee is borne by the Client and is not deducted from the Hacker’s Reward.
- Upon the Hacker’s receipt of the Reward, the entire reward award transaction shall be deemed completed.
- Hackers shall specify the PayPal account registered under Article 5 for receiving Rewards.
- Taxes may be imposed on rewards depending on the Hacker’s location. Hackers are responsible for their own tax filings.
Article 10 (Prohibited Activities)
Section titled “Article 10 (Prohibited Activities)”Hackers shall not engage in the following activities when using the Service:
- Investigations outside program scope
- Brute force or credential guessing to gain access
- Social engineering
- Denial of service (DoS) attacks
- Submitting reports using only automated scanners or tools
- Attacks on Client employees, customers, or partners
- Extracting, downloading, or exfiltrating personal information or confidential data
- Viewing, deleting, modifying, or publishing data using discovered vulnerabilities
- Disclosing vulnerabilities without prior written consent from the Company or Client
- Unauthorized access to others’ personal information
- Infringement of the Company’s or other users’ intellectual property rights
- Criminal acts or acts contrary to public order and morality
- Sending computer viruses or other harmful programs
- Interfering with the Company’s operation of the Service
- Other activities the Company deems inappropriate
Article 11 (Safe Harbor)
Section titled “Article 11 (Safe Harbor)”- The Company shall request each Client publishing programs on the Service to agree not to take legal action against Hackers who conduct vulnerability assessments and reports in good faith in accordance with these Terms and individual program terms.
- Hackers who conduct vulnerability assessments and reports in good faith in accordance with these Terms and individual program terms may receive safe harbor protection from the Client of that program. However, the scope and content of such protection shall be determined by each Client.
- The Company does not guarantee the provision of safe harbor protection by Clients. The Company shall bear no liability in cases where a Client does not provide safe harbor protection or where third parties other than the Client take legal action.
- This safe harbor provision does not apply if the Hacker’s activities do not comply with these Terms or individual program terms.
- Hackers shall not make any claims against the Company for damages arising from safe harbor protection under this Article. The Company shall bear no liability to Hackers or third parties for damages arising from the provision or non-provision of safe harbor protection.
Article 12 (Confidentiality)
Section titled “Article 12 (Confidentiality)”- Hackers shall treat all information obtained through the Service as confidential information of the Company and Clients.
- Hackers may use confidential information only for the following purposes: (1) Reporting vulnerabilities to the Company or Clients (2) Providing additional information requested by the Company or Clients in connection with reports
- Hackers shall not use, disclose, or distribute confidential information without prior written consent from the Company or Clients.
- Upon request from the Company or Clients, Hackers shall permanently delete all confidential information.
Article 13 (Intellectual Property)
Section titled “Article 13 (Intellectual Property)”- Hackers represent and warrant that their vulnerability reports are original and that they have the right to submit them.
- By submitting reports, Hackers grant the Company and Clients the right to use such reports for any purpose.
- All intellectual property rights related to the Service belong to the Company or legitimate rights holders.
Article 14 (Personal Information)
Section titled “Article 14 (Personal Information)”- The Company shall appropriately handle Hackers’ personal information in accordance with the Act on the Protection of Personal Information (APPI).
- The handling of Hackers’ personal information shall be as set forth in the Company’s Privacy Policy.
Article 15 (Disclaimer)
Section titled “Article 15 (Disclaimer)”- The Company shall bear no liability for damages arising from interruption, suspension, termination, unavailability, or changes to the Service.
- The Company shall bear no liability for disputes between Clients and Hackers regarding reward payments.
- The Company shall bear no liability for damages arising from actions taken by Hackers based on information obtained through the Service.
Article 16 (Account Suspension and Cancellation)
Section titled “Article 16 (Account Suspension and Cancellation)”- The Company may suspend or cancel a Hacker’s account without prior notice if the Hacker falls under any of the following: (1) Violation of these Terms (2) Discovery of false information in registration or KYC process (3) The Company determines the Hacker is or may be an organized crime group (4) No use of the Service for more than one year and no response to Company communications (5) The Company otherwise determines continued registration is inappropriate
- If registration is cancelled pursuant to the preceding paragraph, any unpaid reward obligations shall be extinguished.
Article 17 (Exclusion of Anti-Social Forces)
Section titled “Article 17 (Exclusion of Anti-Social Forces)”- Hackers represent and warrant that they and their key management personnel are not anti-social forces at the time of commencing use of the Service and guarantee they will not become such during the period of use.
- Hackers guarantee that they will not engage in violent demands, unreasonable demands beyond legal responsibility, threatening behavior or violence in connection with the use of the Service.
Article 18 (Amendment of Terms)
Section titled “Article 18 (Amendment of Terms)”- The Company may amend these Terms.
- When amending these Terms, the Company will notify Hackers of such changes. If a Hacker uses the Service after notification or does not complete cancellation procedures within the period prescribed by the Company, the Hacker shall be deemed to have agreed to the amendments.
Article 19 (Governing Law and Jurisdiction)
Section titled “Article 19 (Governing Law and Jurisdiction)”- These Terms shall be governed by Japanese law.
- Any disputes arising from or in connection with these Terms shall be subject to the exclusive jurisdiction of the Osaka District Court or Osaka Summary Court as the court of first instance.
Article 20 (Consultation)
Section titled “Article 20 (Consultation)”Any matters not provided for in these Terms or any doubts arising regarding the interpretation of these Terms shall be resolved through consultation between the Hacker and the Company in good faith.
Article 21 (Language)
Section titled “Article 21 (Language)”The Japanese version of these Terms is the authoritative version. In the event of any discrepancy between the Japanese and English versions, the Japanese version shall prevail.

