Responsible Disclosure Policy
English Version (For Convenience)
Section titled “English Version (For Convenience)”1. Overview
Section titled “1. Overview”BBHunt Japan K.K. (the “Company”) establishes this Responsible Disclosure Policy (this “Policy”) for the improvement of cybersecurity and proper vulnerability management. This Policy defines the basic principles for handling vulnerabilities reported through the Company’s platform.
2. Basic Principles
Section titled “2. Basic Principles”The Company adheres to the following basic principles regarding vulnerability disclosure and handling:
- Transparency: Ensures appropriate transparency in the vulnerability reporting, evaluation, and response process.
- Promptness: Evaluates and responds to vulnerability reports promptly upon receipt.
- Fairness: Responds to vulnerability reporters fairly and with respect.
- Security: Properly manages vulnerability information and prevents unauthorized use.
- Legal Compliance: Complies with relevant laws in handling vulnerabilities.
3. Scope of Vulnerabilities
Section titled “3. Scope of Vulnerabilities”This Policy covers vulnerabilities that meet the following conditions:
- Vulnerabilities reported through the Company’s platform
- Vulnerabilities within the scope of a Client’s program
- Vulnerabilities discovered by reporters in compliance with the Service’s Terms of Use
4. Reporting Process
Section titled “4. Reporting Process”- Vulnerability reports shall be submitted through the Company’s prescribed reporting form.
- Reports shall include the following information:
- Detailed description of the vulnerability
- Steps to reproduce the vulnerability
- Assessment of the vulnerability’s impact and severity
- Recommendations for remediation (optional)
- Reports shall be made in Japanese or English.
5. Evaluation Process
Section titled “5. Evaluation Process”- Upon receiving a vulnerability report, the Company will evaluate it according to the following procedure:
- Acknowledgment of receipt (within 24 hours)
- Initial evaluation and classification (within 72 hours)
- Notification to the Client
- Severity assessment and reward determination
- Vulnerability severity will be assessed according to the following criteria:
- Critical: Vulnerabilities that could cause complete system compromise, large-scale data leakage, or complete service outage
- High: Vulnerabilities that could cause significant data leakage, partial service outage, or compromise of critical functions
- Medium: Vulnerabilities that could cause limited data leakage or compromise of some functions
- Low: Vulnerabilities with minimal impact
6. Response Process
Section titled “6. Response Process”- Upon completing the vulnerability evaluation, the Company will provide the Client with the following information:
- Vulnerability details
- Severity assessment
- Remediation recommendations
- Remediation priority
- Clients shall remediate vulnerabilities, and the Company will monitor remediation progress.
- When a vulnerability is remediated, the Company will notify the reporter accordingly.
7. Rewards
Section titled “7. Rewards”- Rewards are determined based on the vulnerability’s severity, impact, and report quality.
- Reward amounts are as specified in each program’s terms.
- Rewards are paid through the method prescribed by the Company.
8. Confidentiality
Section titled “8. Confidentiality”- Vulnerability reporters shall not disclose or publish information about reported vulnerabilities to third parties without prior written consent from the Company or Client.
- The Company properly manages vulnerability information and prevents unauthorized use.
- Public disclosure of vulnerabilities shall be conducted after the Company or Client confirms remediation, in accordance with the instructions of the Company or Client.
9. Safe Harbor
Section titled “9. Safe Harbor”- Vulnerability reports made in good faith in accordance with this Policy shall be considered authorized conduct, and the Company will not initiate legal action against reporters.
- If legal action is initiated by a third party against a reporter in connection with activities conducted under this Policy, the Company will indicate that the reporter’s actions were conducted in compliance with this Policy.
- This safe harbor provision does not apply if the reporter’s activities do not comply with this Policy.
10. Prohibited Activities
Section titled “10. Prohibited Activities”The following activities are prohibited in connection with vulnerability reporting:
- Extracting, downloading, or exfiltrating data using vulnerabilities
- Denial of service (DoS) attacks
- Social engineering
- Unauthorized access to others’ personal information
- Improper disclosure of vulnerabilities
- Other activities the Company deems inappropriate
11. Governing Law and Jurisdiction
Section titled “11. Governing Law and Jurisdiction”- This Policy shall be governed by Japanese law.
- Any disputes arising from or in connection with this Policy shall be subject to the exclusive jurisdiction of the Osaka District Court or Osaka Summary Court as the court of first instance.
12. Language
Section titled “12. Language”The Japanese version of this Policy is the authoritative version. In the event of any discrepancy between the Japanese and English versions, the Japanese version shall prevail.
13. Revisions
Section titled “13. Revisions”The Company reserves the right to revise this Policy. Revised policies become effective upon publication on the Company’s website.

