FAQ
Frequently asked questions about BugBounty.
For Companies
We're interested but the barriers to adoption seem high. We don't know what to request or how to do it.
Our white hat hackers will consult with you to determine what should be targeted, what guidelines should be used for requesting bug bounties from white hat hackers, and more, based on a hearing with you. After listening to your requests and concerns, we will customize your bug bounty program and support you until it is posted on the platform.
It is difficult for us to handle communication with white hat hackers and scrutinize the content of vulnerability reports on our own.
For publicly accessible targets (e.g., websites/apps) on ZoneZero, white hat hackers from ZoneZero's operator, Foasset Inc., will confirm reports and communicate with white hat hackers on your behalf. After clearing all report contents from reporters, we will consult with you to determine the reward amount. ※During this series of confirmations, we may contact you to confirm the design and specifications of the listing target. Please assign a technical point of contact.
If a large number of serious vulnerabilities are discovered, the potential rewards could be enormous, making us anxious about adoption.
We can set an upper limit on the total reward amount according to your budget to keep it within your budget range. Please consult with us.
We want to do this, but we're worried about having strangers investigate. Can we set up a closed project and specify who to request?
It is also possible to request only specific white hat hackers registered on the platform as a closed program.
We're concerned that discovered vulnerabilities will be leaked and lead to exploitation.
There is no direct causal relationship between 'having vulnerabilities found by posting on a bug bounty platform' and 'having found vulnerabilities exploited.' Services posted for bug bounties are basically public services, and attackers are always looking for vulnerabilities in services even if they are not conducting bug bounties. Having well-intentioned hackers investigate before attackers can exploit vulnerabilities will reduce the damage.
If it's about detecting vulnerabilities and confirming security risks, couldn't vulnerability assessments and the like also work? What's the difference?
Vulnerability assessments are characterized by 'few white hat hackers' finding 'known vulnerabilities' in a 'limited time' and visualizing security risks at that point in time. In contrast, bug bounties are characterized by 'many white hat hackers' finding 'unknown vulnerabilities' 'without time limits' and preparing for 'continuous monitoring of unknown risks'. Combining the two diagnostics can be expected to maximize security improvement effects.
For example, if the target is a website, won't conducting a bug bounty put a load on the production environment?
You can set detailed rules, such as prohibiting testing during peak hours and prohibiting brute-force attacks, DDoS, and other things that put a load on the server. Also, you can use it regardless of whether it is a production or development environment as long as it is accessible from the Internet, so you can specify a development environment.
For example, if the target is a website, how can you distinguish between actual attacks and bug bounty activities?
By instructing to add specific strings to communications during diagnosis (1), it is possible to distinguish between attackers and ZoneZero bug bounty program participants. 1) Add a custom header to the HTTP header.
For Hackers
What are the targets of bug bounties?
There are no restrictions on what can be registered, including software such as websites/apps, desktop applications, and mobile applications, hardware such as IoT devices, and blockchains.
What language should be used to report vulnerabilities?
English. However, some companies may allow some Japanese.
What are the eligibility requirements?
If it is a 'public program' that is open to everyone, all registered ZoneZero users are eligible to participate. You may also be invited to participate in 'closed programs' that require an invitation from a company based on your activity record on ZoneZero and other factors.