Genians, Inc. ("Company" or "Genians") implements the Genians Bug Bounty Program ("Program") which rewards reporting vulnerabilities in Genians products and services. Participants wishing to participate in this Bug Bounty Program and receive a reward must agree to these Terms and Conditions, and if you report a vulnerability, you will be deemed to have agreed to these Terms and Conditions.

Article 1 (Introduction)

The program aims to quickly identify vulnerabilities in Genians products to provide customers with secure products and services and to compensate ("compensate") for reported vulnerabilities at Genians' discretion. These terms and conditions are subject to change at any time, and you agree to the new terms and conditions when you join the program after the change.

Article 2 (Qualification and Method of Participation)

1. You can participate in this program if you meet all of the following criteria.

• You must not be an employee of Genians, and retired executives and employees can participate after two year of retirement. (Revised September 22,25)
•  Participants must be able to communicate in Korean or English.

2. Participants will pay for all expenses required to participate in this program, and any necessary contact regarding the operation of this program will be made through the participant's e-mail.

3. If you discover any actual or potential security issues, please notify us as soon as possible. (Added October 4, 24)

4. If any vulnerabilities exist or any sensitive data (including personally identifiable information, financial information, proprietary information of any party, or trade secrets) is discovered, you must stop testing, notify us immediately, and do not disclose this data to anyone else. (Added October 4, 24)

Article 3 (Scope)

1. The products and services covered by this program are as follows. (Revised January 26, 26)

•  NAC Products: Genian NAC V4.* or above
•  Cloud NAC CSM service : https://my.genians.com
• Genian Device Platform Intelligence API : https://pi-api.genians.com/pi/v1/apidocs/ (added June 1, 23)
• Genians company website : https://www.genians.com (Added October 4, 24)
• All products/services managed by Genians (Added January 26, 26)

However, the following inspection exclusions are not included. (Added January 26, 26)

• Third-Party Hosting Services and Solutions (Added January 26, 26)

2. Vulnerabilities outside of Genians products and services are not eligible for evaluation and rewards 
due to concerns of facilitating illegal hacking and lack of verification under the relevant law. (Added October 4, 24)

Article 4 (Period and Method of Reporting)

1. This program will be held at all the time. However, Genians may terminate the Program as required without prior notice.

2. If there is a vulnerability reported by the participant prior to the end of this program under the proviso to the preceding paragraph, the company will review it and notify the results even after this program is terminated.

3. Participants should report vulnerabilities in the manner guided by Genians. Vulnerabilities reported by other means are excluded from the reward payment.

4. Membership Registration URL for CSM Bug Bounty. (Added October 4, 24)

• CSM stands for the following. (Added January 26, 26)
  • https://my.demo.genians.co.kr/*
  • https://my.genians.co.kr/*
  • https://my.genians.com/*  
  • https://gov.genians.co.kr/*  
• When reporting vulnerabilities to CSM Services, you must use the dedicated bug bounty membership registration. Failure to register for the dedicated membership when reporting vulnerabilities may result in exclusion from rewards. (Revised September 22, 25)
• Membership registration for CSM bug bounty
• If you have created one or more servers in CSM for bug bounty testing, please delete the servers after the bug bounty test is complete to reduce resource waste. You may then recreate the servers as needed. (Added September 22, 25) 

※ Membership registration for CSM bug bounty: We operate a dedicated registration process for the Bug Bounty Program to verify that individuals reporting security vulnerabilities do so in good faith, without intent to maliciously exploit issues found in our products or services. This serves as a safeguard to clarify the reporter's purpose and identity regarding sensitive matters that may involve legal liability. (Added September 22, 25)

Article 5 (Reward)

1. Genians determines the amount of reward at the company's discretion, depending on the severity of the reported vulnerability.

2. Based on the international standard for evaluating security vulnerabilities (CVSS 3.1) in terms of 
the spread of vulnerabilities, the evaluation score is calculated by considering the attack impact and 
difficulty. The evaluation criteria are as follows. (Revised January 26, 26 - Evaluation Standard)

3. Based on the calculated CVSS score, the reward amount is based on the following criteria. (Revised  September 1, 23)

※ However, the table above is not guaranteed like the reward amount listed as indicating the reference amount according to the vulnerability evaluation score.

※ For foreigners who are required to pay their rewards in dollars, the reward will be paid at the KRW to USD exchange rate (added on August 1, 23)

4.  Even if you are excluded from the reward pursuant to Article 7.3, small rewards may be provided. (Revised January 26, 26) 

Article 6 (Review of submissions and reward procedures)

1. When a vulnerability report is received, the company has sole discretion to review the submissions, verify their eligibility, and determine which submissions are eligible. Review time depends on the complexity and completeness of the submission and the number of submissions received.

2. When the company receives a report of a similar vulnerability from the same participant, it considers a vulnerability that is judged to be the same vulnerability even if it has been filed with multiple vulnerability reports as one vulnerability.

3. If multiple submissions are received for the same vulnerability from other participants, a reward will be given to the first eligible submission. However, if a duplicate report provides new information that was previously unknown to Genians, the reporter who submitted the duplicate report can be rewarded.

4. The company notifies the participant through the reporter's e-mail when it is determined whether or not the vulnerability reported by the participant is eligible for a reward. If it is determined that the reported vulnerability is eligible for Bug Bounty according to the conditions, the reward amount is notified and the necessary documents are requested for payment.

5. Participants must immediately provide valid and reliable information (hereinafter referred to as "information") necessary for the payment of the company's designated reward when they are asked to provide information through their email account. If the participant did not provide information within 14 days of the company's request, the participant shall be deemed to have waived the right to receive the reward. The bank transfer fee for transferring the reward is borne by the company. (Revised January 26, 26) 

• Participants with Korean bank accounts: The reward amount will be paid to Korean bank accounts in Korean won.
• Participants with foreign bank accounts: The reward amount will be paid to foreign bank accounts in dollars

6. The bank account required to receive the reward is limited to the participant's own, and the name of the account holder and the name included in the information in the preceding paragraph must be the same.

7. The participant pays the tax on the reward, and the company pays the reward after deducting the amount in accordance with the tax policy of the country to which the participant belongs.

8. In the following cases, the company's obligation to pay rewards shall expire.

•  If the company sends a message to the participant's e-mail address but the participant does not respond within 14 days (including any errors when entering the e-mail address, etc.)
• If the participant fails to receive all or part of the reward (including information errors, banking system failures, and participants who are subject to economic sanctions) despite proper remittance procedures based on the information received from the participant

9. Participants must not transfer or provide the right to receive the reward to a third party as collateral.

10. If a participant is found to have violated these terms and conditions, the company may refuse to pay the reward or request the return of the reward paid to the participant.

11. Bounties for reports that are confirmed as vulnerabilities will be paid on the last day of the
month following the month in which the vulnerability is confirmed to be patched or remediated.
However, if the vulnerability is not patched, the bounty will be paid on the last day of the month
following the date that is 60 days after receipt of the report. (added September 1, 23)

12. For reports with a vulnerability severity rating of High or higher, the company may request the
participant to perform an implementation check after patching. Participants who do not reply with
the results of the implementation check within two weeks of the request may not receive a reward.
(added September 1, 23)

13. If the evaluation of the submitted report is deemed insufficient, additional materials may be requested from the participant. If no response is received within one week of the request date, the report will be invalidated. (Added September 22, 25)

Article 7 (Conditions excluding prohibited matters and rewards)

1. Participants must not engage in the following actions while participating in the bug bounty program. Violations will result in disqualification from rewards and may lead to legal liability. (Revised January 26, 26) 

• Illegal acts that violate other laws and regulations, or acts that intentionally infringe upon the rights of others (intellectual property rights, commercial/financial interests, etc.) (Revised January 26, 26) 
• DoS/DDoS attacks, excessive service scanning using automated programs (scanners), disrupting operating systems, or any other actions that interfere with normal service operations (Revised January 26, 26) 
• Using discovered vulnerabilities to view, delete, modify, or disclose company assets, user data, source code, or any other information, and unauthorized system access (Revised January 26, 26) 
• Reverse engineering, decompiling, disassembling, or otherwise duplicating, imitating, or modifying the Service, Intentionally or negligently installing or distributing malware or viruses (Revised January 26, 26) 
• Phishing, spamming, or sending malicious URLs to deceive users or employees, causing direct harm, Distributing false information for the purpose of financial gain or harming others (Revised January 26, 26) 
• Disclosing vulnerabilities externally or using them for malicious purposes without the Company's consent, Crawling to collect program/participant information (Revised January 26, 26) 
• Submitting a large number of low-quality reports or engaging in activities contrary to the purpose and intent of this program, attacking physical security facilities (such as data centers) (Revised January 26, 26) 

2. The company may disqualify participants who violate the preceding paragraph from participating in this program and will be excluded from the reward. In such cases, the participant shall bear responsibility for any damages incurred. Furthermore, the company may notify relevant government agencies or judicial authorities of the participant's prohibited acts if necessary. (Revised September 22, 25)

3. The following cases are excluded from evaluation and rewards.  

• When the vulnerability cannot be reproduced, or the reported information is false/exaggerated/unclear and cannot be verified (Revised January 26, 26) 
• Incomplete reports that only suggest possibilities without proof (Revised January 26, 26) 
• If the vulnerability is already known internally at Genians or has been previously reported/disclosed to others/other organizations (Revised January 26, 26) 
• If the product is discontinued or for which security updates cannot be developed (Revised January 26, 26) 
• Simple exposure of an admin page, debugging response values/error pages/server application information exposure (Revised January 26, 26) 
• Clickjacking, page tampering, simple version exposure (Revised January 26, 26) 
• Issues where security headers (HSTS, DNS Record, CSP, etc.) are not applied, and simple SSL is not applied (Revised January 26, 26) 
• Cases where potential damage from vulnerabilities is extremely minimal or attack value is significantly low (Revised January 26, 26) 
• Vulnerabilities that only affect the attacker (e.g., Self-XSS) and self-attacks through direct packet tampering (Revised January 26, 26) 
• Simple Reflected XSS (except when critical privilege escalation/function execution is demonstrated) (Revised January 26, 26) 
• Occurs when security features are disabled or OS/framework security updates are not performed (Revised January 26, 26) 
• When based on extreme scenarios such as excessive user intervention or PC takeover/session hijacking (Revised January 26, 26) 
• Occurs only when Developer Mode is enabled or are man-in-the-middle (MITM) attacks (Revised January 26, 26) 
• Issues with essential components (OS, 3rd-party OSS, etc.) or matters resolved by updates (Revised January 26, 26) 
• Simple listing of account lists collected from third-party data leak sites (e.g., DeHashed) such as the dark web (Revised January 26, 26) 
• DoS-related vulnerabilities and simple results discovered by automated scanning tools (Revised January 26, 26) 
• Acquiring server information through unnecessary actions beyond vulnerability proof (Revised January 26, 26) 
• Scripting attacks on pages that intentionally include script testing functions (Revised January 26, 26) 
• Using phishing/URL redirects or content related to privacy protection (Revised January 26, 26) 
• Arbitrarily altering the consent terms in the report or specifying copyright claims in the report (Revised January 26, 26) 
• CSRF attacks targeting the CSM (see Article 4, Paragraph 4) (Revised January 26, 26) 
• Other cases deemed to pose little or no security threat (Revised January 26, 26) 

Article 8 (License of Rights and Submissions)

1. Participants have the authority to modify, process, and duplicate the subject of reporting under Article 3 to the extent necessary to participate in this program.

2. In the event that a participant has invented, created, or written (hereinafter referred to as "invention"), all rights, including copyright, are transferred to the company as soon as the participant submits the vulnerability to the company via e-mail, and the company can freely exercise and dispose of the rights.

3. Understand and acknowledge that Genians may develop similar or identical material to the Participant's submission, and waive any claims that may arise due to similarity to the Participant's submission.

4. Guarantees that the participant's submission is your own work, that you have not used information owned by another person or organization, and that you have a legal right to provide the submission to Genians. (Revised January 26, 26) 

5. If an invention, etc. is a work, the participant shall not claim or exercise the copyright on the work against the company and the person designated by the company.

Article 9 (Handling confidential information of submissions received)

1. Participants shall treat vulnerabilities and information (details on how to attack, etc.) as confidential information and may not be disclosed to third parties except us for any purpose after reporting.

2. If the contents of the report are written differently from the facts, or if the vulnerability is disclosed to a third party other than us (external conference announcement, etc.), the following disadvantages may be incurred if it is found to have violated confidentiality obligations.

• Exclusion from evaluation and reward for one year from the date of disclosure
• Where a reward has already been received due to the vulnerability, the cancellation of the reward, full recovery of the reward for payment, and legal action.

Article 10 (Handling of Personal Information)

1. The company strives to protect participants' personal information as prescribed by related laws such as the Personal Information Protection Act.

2. The company collects the following minimum personal information as required items to ensure smooth use of the bug bounty program and to carry out necessary administrative procedures. (Revised December 05, 25)

• When submitting a bug bounty report : name, English name, email, and contact information
• When providing bug bounty rewards : address and bank account information. 

3. The company retains the personal information received from participants for five years from the date the reward for the last reported vulnerability is determined and paid, in accordance with applicable laws. (Revised December 05, 25)

4. All other matters regarding the processing of personal information follow the Genians Privacy Policy. (Added December 05, 25)

Article 11 (Scope of Liability and Damages)

1. Participants take part in this program at their own responsibility, and the company shall not be held liable for any damages incurred by participants from their participation in the program, unless such damages are caused by the company’s willful misconduct or negligence. Furthermore, the company shall not be involved in any disputes arising between participants or between participants and third parties. Such disputes must be resolved at the participant's own responsibility and expense. (Revised September 22, 25)

2. If a participant violates these Terms and Conditions, or if the Company suffers damages, or if a third party files an objection or claim for damages against the Company due to the participant's illegal acts or infringement of third-party rights while using the services provided by the Company, the participant shall indemnify the Company at their own expense and liability and shall compensate the Company for all damages incurred (including direct and indirect damages). (Added September 22, 25)

Article 12 (Change of Terms and Conditions)

1. The Company may change the contents of these Terms and Conditions to the extent that it does not violate the relevant laws and regulations.

2. If the company changes these terms and conditions, it shall specify the application date and notify it on the website at least one week before the application date.

3. If the company announces the revised terms and conditions in accordance with the preceding paragraph and receives a vulnerability report after the application date, the participant shall be deemed to have agreed to the revised terms and conditions.

Article 13 (Compliance Act and jurisdiction)

1. The company hopes that there will be no dispute. However, in the event of a dispute, the participants and the company agree to settle it informally for 60 days.

2. Litigation filed between the company and the participant is the governing law of the Republic of Korea, and the competent court for litigation related to disputes between the company and the participant is determined in accordance with the Civil Procedure Act.

3. In the case of a participant with an address or residence abroad, a lawsuit concerning a dispute between the company and the participant shall be the competent court of the Seoul Central District Court of the Republic of Korea, notwithstanding the preceding paragraph.

Article 14 (Inquiry about this program)

All inquiries about the Genians Bug Bounty program are accepted at bugbounty@genians.com and no other inquiries are accepted.

• Vulnerability Disclosure Program Policy Revision and Application Date: 2026-01-26