Operating Background
Bug Bounty is a system that pays bounties to those who discover vulnerabilities in software or web services.
Major global companies are operating bug bounty to discover vulnerabilities in their products and services and to strengthen security, and some companies are also operating their own bug bounty. In addition, Korea NCSC and KISA operate security vulnerability reporting and reward systems to prevent intrusion accidents that exploit vulnerabilities, and Genians participates as a partner in the reporting and reward system operated by Korea’s Internet & Security Agency(KISA).
Program Scope
Vulnerabilities in the following products and services are subject to reporting.
(Reports other than the target are not eligible for rewards.)
– NAC product: Genian NAC V4.* or above
– Cloud NAC CSM service
– Genian Device Platform Intelligence API
– Genians company website, etc.
Note) Vulnerabilities outside of Genians products and services are not eligible for evaluation and rewards due to concerns of facilitating illegal hacking and lack of verification under the relevant law
* Note : Genian NAC Security Advisories
Program Process
Step 1: Security Vulnerability Reporting
Use Google Forms to complete a vulnerability report.
Observe our responsible research and disclosure policies and safe harbor regulations.
Do not disclose the type of communication related to reports or reports with others without the explicit consent of Genian
We'll send you a confirmation that we received your report (within 3 days).
Step 2: Validate Report
Genians will check the basic information of the reported vulnerability and determine whether it is a new vulnerability.
If we are unable to verify the report, we may request supplementary information, and if it is not a new vulnerability, we will determine whether it is and provide feedback to the reporter (within 2 weeks).
Step 3: Assessment/Patch
Team Genians conducts vulnerability assessments based on
the assessment criteria for
vulnerabilities determined to be emerging and patches products and services to address the
vulnerability.
Provide feedback to the reporter
on whether the vulnerability has
been patched (end of each month).
Step 4: Rewards Period
Once the vulnerability has been patched or remediated (severity High or higher), we will finalize the bounty amount, notify the reporter of the results, and pay the bounty.
However, if the vulnerability is not patched, the reward will be paid on the last day of the following month, which is 60 days after the report is received.
Rewards
Rewards for qualifying bugbounty range from 240,000 won to 9,000,000 won. Points will be calculated based on the Common Vulnerability Scoring System Version 3.1 (CVSS 3.1)
Note) Any damage to business, services, or users in the process of analyzing vulnerabilities, such as random unauthorized substitution attacks, denial of service attacks, access to third-party accounts or data, or unauthorized server penetration attempts, will be excluded from the reward
| CVSS Point | Level of Severity | Rewards (KRW, won) | Rewards (USD, ex $1=1,300 won) |
|---|---|---|---|
| 9.0~10.0 | Critical | 5,400,000 ~ 9,000,000 | $4,150 ~ $6,920 |
| 7.0~8.9 | High | 2,520,000 ~ 3,600,000 | $1,930 ~ $2,760 |
| 4.0~6.9 | Medium | 720,000 ~ 1,800,000 | $550 ~ $1,380 |
| 0.1~3.9 | Low | 240,000 ~ 480,000 | $180 ~ $360 |
| Large Category | Sub Category | Description |
| Attack Impact | Scope of Influence | The extent to which it can affect other permissions or resources beyond the vulnerable components |
| Confidentiality Impact(C) | Degree of impact in terms of confidentiality on the product | |
| Integrity Impact(I) | Degree of impact in terms of integrity on the product | |
| Availability Impact(A) | Degree of impact in terms of availability on the product | |
| Exploitablility | Attack Vector(AV) | Degree of accessibility of the attack path |
| Attack Complexity(AC) | Prerequisites for acquiring attackers, such as system configuration and attribute settings | |
| Privileges Required(PR) | Privilege level required by an attacker to exploit a vulnerability | |
| User Interaction(UI) | Requirements that users must perform to exploit vulnerabilities |
Limitations and Vulnerabilities Disclosure Policy
- Do not disclose detailed information about reported vulnerabilities to third parties until they are fixed and updated by most users (customers). However, if Genians permits it in writing, etc., it may disclose vulnerabilities.
- Please refrain from doing anything that may harm other users.
- Employees of Genians and its affiliates are not allowed to participate in this program.
