Program Rules Template
English Version (For Convenience)
Section titled “English Version (For Convenience)”1. Program Terms
Section titled “1. Program Terms”(1) Overview
Section titled “(1) Overview”The scope of [Client Name]’s (hereinafter “our”) Bug Bounty Program is described in the “In Scope” section. Reports outside of that which is described in “In Scope” will be determined as “Out of Scope” and closed regardless of their content. You must read and agree to these program terms before finding and reporting a vulnerability.
(2) Program Eligibility
Section titled “(2) Program Eligibility”To be eligible to participate in our Bug Bounty Program, you must:
- Be at least 18 years of age.
- Not be employed by us or any of our subsidiaries (including former employees).
- Not be engaged in our business through outsourcing contracts, secondment contracts, dispatch contracts, or other contract forms.
- Able to communicate in Japanese or English.
- Not be a resident of, or make Submissions from, a country against which the Japan has issued export sanctions or other trade restrictions.
- Agree to BBHunt Japan’s terms of use.
- Complete BBHunt Japan’s identity verification (KYC) process.
- Register and verify a valid PayPal account for receiving Rewards.
If (i) you do not meet the eligibility requirements above; (ii) you breach any of these Program Terms or any other agreements you have with us or its affiliates; or (iii) we determine that your participation in the Bug Bounty Program could adversely impact us, our affiliates or any of our users, employees or agents, we, in our sole discretion, may remove you from the Bug Bounty Program and disqualify you from receiving any benefit of the Bug Bounty Program.
2. In Scope
Section titled “2. In Scope”(1) Systems in Scope
Section titled “(1) Systems in Scope”[List of systems in scope]
Example:
- https://example.com
- https://api.example.com
- Mobile applications (iOS/Android)
(2) Vulnerability Types in Scope
Section titled “(2) Vulnerability Types in Scope”[List of vulnerability types in scope]
Example:
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- SQL injection
- Authentication/Authorization flaws
- Denial of Service (DoS)
(3) Out of Scope
Section titled “(3) Out of Scope”[List of out-of-scope items]
Example:
- Denial of Service attacks
- Spam or social engineering
- Known vulnerabilities that have already been fixed
- Issues without security impact
3. Rules
Section titled “3. Rules”- Do be patient & make a good faith effort to provide clarifications to any questions we may have about your report.
- Do respect privacy & make a good faith effort not to access, process or destroy personal data.
- Do be respectful when interacting with our team, and our team will do the same.
- Do exercise caution when testing to avoid negative impact to customers and the services they depend on.
- Do stop whenever unsure. If you think you may cause, or have caused, damage with testing a vulnerability, report your initial finding(s) and request authorization to continue testing.
Do NOT
Section titled “Do NOT”- Do not research outside of that outlined in “In Scope”
- Do not publicly disclose a Vulnerability without our explicit review and consent.
- Do not leave any system in a more vulnerable state than you found it.
- Do not submit a report by automated tools without additional analysis as to how they are an issue
- Do not brute force credentials or guess credentials to gain access to systems.
- Do not engage in any form of social engineering of our employees, customers, or partners.
- Do not engage or target any our employees, customers, or partners during your testing.
- Do not attempt to extract, download, or otherwise exfiltrate data that may have PII or other sensitive data other than your own.
- Do not do anything that would be considered a privacy violation, cause destruction of data, or interrupt or degrade our service.
- Do not interact with accounts you do not own.
- Do not do anything that is prohibited by BBHunt Japan’s terms of use.
4. Rewards
Section titled “4. Rewards”(1) Reward Types
Section titled “(1) Reward Types”This program pays rewards based on the following severity levels:
| Severity | Reward Amount |
|---|---|
| Critical | ¥[Amount] |
| High | ¥[Amount] |
| Medium | ¥[Amount] |
| Low | ¥[Amount] |
(2) Reward Payment Method
Section titled “(2) Reward Payment Method”Rewards are paid through the BBHunt Japan platform. Reporters can receive rewards as specified in BBHunt Japan’s terms of use.
The reward payment flow is as follows:
- The Client initiates a bounty award to the Reporter through the Service.
- A PayPal invoice containing the Reward amount and the Reward Fee is automatically sent to the Client.
- The Client pays the PayPal invoice.
- BBHunt Japan pays the Reward to the Reporter via PayPal, and BBHunt Japan retains the Reward Fee.
- Upon the Reporter’s receipt of the Reward, the entire transaction is completed.
For reward payments, we pay a Reward Fee to BBHunt Japan (20% of the reward amount plus consumption tax). The Reward Fee is borne by us and is not deducted from the Reporter’s reward.
(3) Not Eligible for Reward
Section titled “(3) Not Eligible for Reward”The following cases are not eligible for rewards:
- If we have already received or are aware of a similar report
- Reports outside of the scope
- Vulnerabilities that cannot be reproduced
- Issues without security impact
5. Disclosure Policy and Confidentiality
Section titled “5. Disclosure Policy and Confidentiality”Any data you receive, obtain access to or collect about us, our affiliates or any our customers, employees or agents in connection with the Bug Bounty Program is considered our confidential information (“Confidential Information”).
Confidential Information must be kept confidential and only used: (i) to make the disclosure to us under the Bug Bounty Program; or (ii) to provide any additional information that may be required by us in relation to the submitted report. No further use or exploitation of Confidential Information is allowed. Upon our request, you will permanently erase all Confidential Information for any systems and devices.
You may not use, disclose or distribute any such Confidential Information, including without limitation any information regarding your Bug Bounty submitted report, without our prior explicit consent.
6. Legal and Safe Harbor
Section titled “6. Legal and Safe Harbor”(1) Safe Harbor
Section titled “(1) Safe Harbor”We will not initiate legal action against Reporters who conduct vulnerability assessments and reports in good faith in accordance with BBHunt Japan’s terms of use and this program’s terms. Such activities will be considered authorized conduct.
To receive safe harbor protection, Reporters must meet the following conditions:
- Comply with BBHunt Japan’s terms of use
- Comply with this program’s terms
- Conduct vulnerability assessments only on in-scope systems
- Comply with the prohibited activities of this program
- Not disclose vulnerability information without our prior written consent
Safe harbor does not apply if the Reporter’s activities do not comply with the above conditions.
(2) Disclaimer
Section titled “(2) Disclaimer”If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will make it known that your actions were conducted in compliance with this policy. We reserve all legal rights in the event of noncompliance with this policy.
By making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission. By making a Submission, you give us the right to use your Submission for any purpose.
We also reserve the right to modify the terms and conditions of this program, and your participation in the Program constitutes acceptance of all terms. Please check this site regularly as we routinely update our program terms and eligibility, which are effective upon posting.
7. Submitting Reports
Section titled “7. Submitting Reports”(1) Report Quality
Section titled “(1) Report Quality”High quality submissions allow our team to understand the issue better and engage the appropriate teams to fix. The best reports provide enough actionable information to verify and validate the issue without requiring any follow up questions for more information or clarification.
- Check the scope before you begin writing your report to ensure the issue you are reporting is in scope for the program.
- Think through the attack scenario and exploitability of the vulnerability and provide as many clear details as possible for our team to reproduce the issue.
- Video or Image only report will not be considered.
- A vulnerability must be verifiable and reproducible for us to be considered In Scope.
- Submit one vulnerability per report unless otherwise required.
(2) Not Eligible for Reward
Section titled “(2) Not Eligible for Reward”If we have already received or are aware of a similar report, or if the report is outside of the scope, it is not eligible for the reward and will be closed regardless of its content.

