Skip to content

Responsible Disclosure Policy

BBHunt Japan K.K. (the “Company”) establishes this Responsible Disclosure Policy (this “Policy”) for the improvement of cybersecurity and proper vulnerability management. This Policy defines the basic principles for handling vulnerabilities reported through the Company’s platform.

The Company adheres to the following basic principles regarding vulnerability disclosure and handling:

  1. Transparency: Ensures appropriate transparency in the vulnerability reporting, evaluation, and response process.
  2. Promptness: Evaluates and responds to vulnerability reports promptly upon receipt.
  3. Fairness: Responds to vulnerability reporters fairly and with respect.
  4. Security: Properly manages vulnerability information and prevents unauthorized use.
  5. Legal Compliance: Complies with relevant laws in handling vulnerabilities.

This Policy covers vulnerabilities that meet the following conditions:

  1. Vulnerabilities reported through the Company’s platform
  2. Vulnerabilities within the scope of a Client’s program
  3. Vulnerabilities discovered by reporters in compliance with the Service’s Terms of Use
  1. Vulnerability reports shall be submitted through the Company’s prescribed reporting form.
  2. Reports shall include the following information:
    1. Detailed description of the vulnerability
    2. Steps to reproduce the vulnerability
    3. Assessment of the vulnerability’s impact and severity
    4. Recommendations for remediation (optional)
  3. Reports shall be made in Japanese or English.
  1. Upon receiving a vulnerability report, the Company will evaluate it according to the following procedure:
    1. Acknowledgment of receipt (within 24 hours)
    2. Initial evaluation and classification (within 72 hours)
    3. Notification to the Client
    4. Severity assessment and reward determination
  2. Vulnerability severity will be assessed according to the following criteria:
    1. Critical: Vulnerabilities that could cause complete system compromise, large-scale data leakage, or complete service outage
    2. High: Vulnerabilities that could cause significant data leakage, partial service outage, or compromise of critical functions
    3. Medium: Vulnerabilities that could cause limited data leakage or compromise of some functions
    4. Low: Vulnerabilities with minimal impact
  1. Upon completing the vulnerability evaluation, the Company will provide the Client with the following information:
    1. Vulnerability details
    2. Severity assessment
    3. Remediation recommendations
    4. Remediation priority
  2. Clients shall remediate vulnerabilities, and the Company will monitor remediation progress.
  3. When a vulnerability is remediated, the Company will notify the reporter accordingly.
  1. Rewards are determined based on the vulnerability’s severity, impact, and report quality.
  2. Reward amounts are as specified in each program’s terms.
  3. Rewards are paid through the method prescribed by the Company.
  1. Vulnerability reporters shall not disclose or publish information about reported vulnerabilities to third parties without prior written consent from the Company or Client.
  2. The Company properly manages vulnerability information and prevents unauthorized use.
  3. Public disclosure of vulnerabilities shall be conducted after the Company or Client confirms remediation, in accordance with the instructions of the Company or Client.
  1. Vulnerability reports made in good faith in accordance with this Policy shall be considered authorized conduct, and the Company will not initiate legal action against reporters.
  2. If legal action is initiated by a third party against a reporter in connection with activities conducted under this Policy, the Company will indicate that the reporter’s actions were conducted in compliance with this Policy.
  3. This safe harbor provision does not apply if the reporter’s activities do not comply with this Policy.

The following activities are prohibited in connection with vulnerability reporting:

  1. Extracting, downloading, or exfiltrating data using vulnerabilities
  2. Denial of service (DoS) attacks
  3. Social engineering
  4. Unauthorized access to others’ personal information
  5. Improper disclosure of vulnerabilities
  6. Other activities the Company deems inappropriate
  1. This Policy shall be governed by Japanese law.
  2. Any disputes arising from or in connection with this Policy shall be subject to the exclusive jurisdiction of the Osaka District Court or Osaka Summary Court as the court of first instance.

The Japanese version of this Policy is the authoritative version. In the event of any discrepancy between the Japanese and English versions, the Japanese version shall prevail.

The Company reserves the right to revise this Policy. Revised policies become effective upon publication on the Company’s website.