Q. What is the purpose of the Genians Bug Bounty program ?
The Genians Bug Bounty program is designed to reward those who find vulnerabilities in Genians products and services, while also finding vulnerabilities early and providing secure services.
Q. What is the "Genians' Vulnerability Disclosure Program Policy"
Participants who wish to participate in the Genians Bug Bounty Program and receive a reward must agree to the Terms and Conditions, and if they report a vulnerability, they will be deemed to have agreed to these Terms and Conditions.
Q. What is the procedure used to handle reported vulnerability reports ? (Revised September 1, 23)
There are a total of four stages of progress: Receiption – Confirmation – Assessment/Patch – Payment.
- Step 1 (Reception): Use Google Forms to file a vulnerability report.
- When the report is received, a confirmation email is sent to the reporter that the vulnerability report has been received.(within 3 days)
- Step 2 (Confirmation): Identify basic information on vulnerabilities that have been reported and determine whether there is a new vulnerabilities.
- If it is impossible to determine whether the report is vulnerable, you can request supplementation of the report.
- We will determine if there is a new vulnerability and get back to the reporter with the results. (within 2 weeks)
- Step 3 (Evaluation/Patch): For vulnerabilities determined to be new, we perform an assessment based on our assessment criteria and patch our products and services to address the vulnerability.
- At the end of each month, we check whether the vulnerability has been patched and provide feedback to the reporter.
- Step 4 (Payment): Bounties are paid for vulnerabilities that have been patched or remediated (paid monthly).
- Rewards are paid on the last day of the month following the month in which the vulnerability was patched or remediated.
- However, if the vulnerability is not patched, the bounty will be paid on the last day of the month that is 60 days after the report is received.
- Once the results of the patch or remediation check are confirmed, we will notify you via email of the results and request additional information (such as account information) for payment.
Q. What are the duplicate criteria for reported vulnerability reports ?
If the same vulnerability is reported by another participant, only the first qualifying declaration will be recognized for evaluation. However, if a duplicate report provides new information that is not previously known, a reward may be granted to the reporter who submitted the duplicate report.
If you receive a report of a similar vulnerability from the same participant, even if you have received multiple vulnerability reports, you will consider it a duplicate vulnerability and consider it a vulnerability.
If the vulnerability occurs in different products/services, but the same open source or firmware vulnerability is the same, only the first reported vulnerability is recognized.
Q. Is it possible to modify the submitted vulnerability report ?
If the same participant re-reported the same vulnerability, the last report submitted will be evaluated. However, if you submit it after the evaluation is completed, the evaluation will proceed with the pre-correction report.
Q. How is the vulnerability assessment conducted ?
The reported vulnerabilities will be evaluated on a monthly basis by the self-evaluation committee, and the reward and amount will be determined on a monthly basis based on the evaluation results of the self-evaluation committee.
The results of the evaluation will be notified by email to the reporter.
Q. When will the reward be paid ?(Revised September 1, 23)
Bounties are paid on the last day of the month following the month in which the vulnerability is patched. Vulnerabilities requiring remediation will be paid on the last day of the month following the month in which the remediation is confirmed
If the vulnerability is not patched for a certain period of time, the bounty will be paid on the last day of the month that is 60 days after the report is received.
Not all vulnerabilities are compensated, and additional information may be requested from the recipient for compensation.
Q. What are the performance checks required of participants? (Added September 1, 23)
A performance check is when a company requests a participant to confirm that a report with a vulnerability severity rating of High or higher has been patched after the vulnerability has been patched.
The participant must confirm that the vulnerability is reproduced and email the company with proof.
If the participant does not respond with proof within two weeks of receiving the request, the bounty may not be paid.
Q. Is there a limit to cash rewards paid through the program ?
There are some set standards, but there are no set limits on the rewards offered through the program. Evaluate based on the severity of reported vulnerabilities and determine appropriate cash rewards for each report.
Q. Is there a limit to the number of vulnerabilities a person can report ?
Reported vulnerabilities are rewarded according to the evaluation results, and there is no limit to the number of vulnerabilities. However, if several similar vulnerabilities are reported, they can be considered as one.
Q. Can I post the details of the reported vulnerability on blogs, SNS, etc. ?
Q. How do I report vulnerabilities I found in a team ?
You can select a representative of the team and report it in the name of the representative. Contact and reward payments will be made through the representative.
Q. What security vulnerabilities are eligible for rewards ?
A reward will be given to vulnerabilities that may be exploited for actual attacks among software that did not receive security updates at the time of the vulnerability report.
In addition, vulnerabilities discovered without legitimate access without the consent of the information and communication service provider on the actual service website or system are exempt from payment and punishable by law. (Refer to the Act on Promotion of Information and Communication Network Utilization and Information Protection, etc., Article 48 (1), Article 71 (1), 9 and 2)
Q. Is it possible to report vulnerabilities found in products and services other than those subject to reporting ?
Attempts to find bugs outside of the stated products and services and domains are not allowed by default and may be held accountable in the event of a problem.
Q. What is Network Access Control (NAC) ?
Network Access Control is a solution that restricts access to only authorized devices by checking the access availability of devices accessing the network.
For more information, please refer to the Homepage Administrator Guide (Understanding NAC).
Q. What are the components of NAC ?
Genian NAC is built into three components: "Policy Server," "Network Sensor," and "Agent."
For more information, see the Homepage Administrator's Guide (Understanding Components).
Q. How can I install NAC ?
For instructions on installing the Genian NAC on your system and accessing the Administrator Web and CLI console, see the Homepage Administrator's Guide (Installing the Genian NAC).
Q. How can I inquire about the processing status of the received vulnerability report ? (Revised September 1, 23)
If you have any questions about the bug bounty program, you can always contact us via our vulnerability email (email@example.com).
If you do not receive a confirmation of receipt of your vulnerability report (within 3 days) and evaluation results (monthly), please contact us by email.