Genians, Inc. ("Company" or "Genians") implements the Genians Bug Bounty Program ("Program") which rewards reporting vulnerabilities in Genians products and services. Participants wishing to participate in this Bug Bounty Program and receive a reward must agree to these Terms and Conditions, and if they report a vulnerability, they will be deemed to have agreed to these Terms and Conditions.

Article 1 (Introduction)

The program aims to quickly identify vulnerabilities in Genians products to provide customers with secure products and services and to compensate ("compensate") for reported vulnerabilities at Genians' discretion. These terms and conditions are subject to change at any time, and you agree to the new terms and conditions when you join the program after the change.

Article 2 (Qualification and Method of Participation)

1. You can participate in this program if you meet all of the following criteria.

• You must not be an employee of Genians, and retired executives and employees can participate after two year of retirement. (Revised September 22,25)
•  Participants must be able to communicate in Korean or English.

2. Participants will pay for all expenses required to participate in this program, and any necessary contact regarding the operation of this program will be made through the participant's e-mail.

3. If you discover any actual or potential security issues, please notify us as soon as possible. (Added October 4, 24)

4. If any vulnerabilities exist or any sensitive data (including personally identifiable information, financial information, proprietary information of any party, or trade secrets) is discovered, you must stop testing, notify us immediately, and do not disclose this data to anyone else. (Added October 4, 24)

Article 3 (To be reported)

1. Products and services subject to this program are as follows. (We plan to expand the scope of reporting over time.) (Revised October 4, 24)

•  NAC Products: Genian NAC V4.* or above
•  Cloud NAC CSM service : https://my.genians.com
• Genian Device Platform Intelligence API : https://pi-api.genians.com/pi/v1/apidocs/ (added June 1, 23)
• Genians company website : https://www.genians.com (Added October 4, 24)

2.  All services not explicitly listed, such as those in the reporting items above, are excluded from reporting and we do not have permission to test them. If you are unsure whether your system is in scope, or if you have a specific system that is not included in this report that you believe needs testing, please contact us before beginning your investigation. (Added October 4, 24)

3. If you report a vulnerability to a product or service that is not covered by the program at the time of reporting, you will not be able to receive a reward even if the product or service is added to the program later.

4. Vulnerabilities outside of Genians products and services are not eligible for evaluation and rewards 
due to concerns of facilitating illegal hacking and lack of verification under the relevant law. (Added October 4, 24)

Article 4 (Period and Method of Reporting)

1. This program will be held at all the time. However, Genians may terminate the Program as required without prior notice.

2. If there is a vulnerability reported by the participant prior to the end of this program under the proviso to the preceding paragraph, the company will review it and notify the results even after this program is terminated.

3. Participants should report vulnerabilities in the manner guided by Genians. Vulnerabilities reported by other means are excluded from the reward payment.

4. Membership Registration URL for CSM Bug Bounty. (Added October 4, 24)

• When reporting vulnerabilities to CSM Services, you must use the dedicated bug bounty membership registration. Failure to register for the dedicated membership when reporting vulnerabilities may result in exclusion from rewards. (Revised September 22, 25)
• Membership registration for CSM bug bounty
• If you have created one or more servers in CSM for bug bounty testing, please delete the servers after the bug bounty test is complete to reduce resource waste. You may then recreate the servers as needed. (Added September 22, 25) 

※ Membership registration for CSM bug bounty: We operate a dedicated registration process for the Bug Bounty Program to verify that individuals reporting security vulnerabilities do so in good faith, without intent to maliciously exploit issues found in our products or services. This serves as a safeguard to clarify the reporter's purpose and identity regarding sensitive matters that may involve legal liability. (Added September 22, 25)

Article 5 (Reward)

1. Genians determines the amount of reward at the company's discretion, depending on the severity of the reported vulnerability.

2. Based on the international standard for evaluating security vulnerabilities (CVSS 3.1) in terms of 
the spread of vulnerabilities, the evaluation score is calculated by considering the attack impact and 
difficulty. The evaluation criteria are as follows. (Added October 4, 24 - Evaluation Standard)

3. Based on the calculated CVSS score, the reward amount is based on the following criteria. (Revised  September 1, 23)

※ However, the table above is not guaranteed like the reward amount listed as indicating the reference amount according to the vulnerability evaluation score.

※ For foreigners who are required to pay their rewards in dollars, the reward will be paid at the KRW to USD exchange rate (added on August 1, 23)

4.  Even if you are excluded from the reward pursuant to Article 7(3), small rewards may be provided. (Revised September 22, 25)

Article 6 (Review of submissions and reward procedures)

1. When a vulnerability report is received, the company has sole discretion to review the submissions, verify their eligibility, and determine which submissions are eligible. Review time depends on the complexity and completeness of the submission and the number of submissions received.

2. When the company receives a report of a similar vulnerability from the same participant, it considers a vulnerability that is judged to be the same vulnerability even if it has been filed with multiple vulnerability reports as one vulnerability.

3. If multiple submissions are received for the same vulnerability from other participants, a reward will be given to the first eligible submission. However, if a duplicate report provides new information that was previously unknown to Genians, the reporter who submitted the duplicate report can be rewarded.

4. The company notifies the participant through the reporter's e-mail when it is determined whether or not the vulnerability reported by the participant is eligible for a reward. If it is determined that the reported vulnerability is eligible for Bug Bounty according to the conditions, the reward amount is notified and the necessary documents are requested for payment.

5. Participants must immediately provide valid and reliable information (hereinafter referred to as "information") necessary for the payment of the company's designated reward when they are asked to provide information through their email account. If the participant did not provide information within 14 days of the company's request, he/she shall be deemed to have waived the right to receive the reward. The bank transfer fee for transferring the reward is borne by the company.

• Participants with Korean bank accounts: The reward amount will be paid to Korean bank accounts in Korean won.
• Participants with foreign bank accounts: The reward amount will be paid to foreign bank accounts in dollars

6. The bank account required to receive the reward is limited to the participant's own, and the name of the account holder and the name included in the information in the preceding paragraph must be the same.

7. The participant pays the tax on the reward, and the company pays the reward after deducting the amount in accordance with the tax policy of the country to which the participant belongs.

8. In the following cases, the company's obligation to pay rewards shall expire.

•  If the company sends a message to the participant's e-mail address but the participant does not respond within 14 days (including any errors when entering the e-mail address, etc.)
• If the participant fails to receive all or part of the reward (including information errors, banking system failures, and participants who are subject to economic sanctions) despite proper remittance procedures based on the information received from the participant

9. Participants must not transfer or provide the right to receive the reward to a third party as collateral.

10. If a participant is found to have violated these terms and conditions, the company may refuse to pay the reward or request the return of the reward paid to the participant.

11. Bounties for reports that are confirmed as vulnerabilities will be paid on the last day of the
month following the month in which the vulnerability is confirmed to be patched or remediated.
However, if the vulnerability is not patched, the bounty will be paid on the last day of the month
following the date that is 60 days after receipt of the report. (added September 1, 23)

12. For reports with a vulnerability severity rating of High or higher, the company may request the
participant to perform an implementation check after patching. Participants who do not reply with
the results of the implementation check within two weeks of the request may not receive a reward.
(added September 1, 23)

13. If the evaluation of the submitted report is deemed insufficient, additional materials may be requested from the participant. If no response is received within one week of the request date, the report will be invalidated. (Added September 22, 25)

Article 7 (Conditions excluding prohibited matters and rewards)

1. Participants should not do the following while participating in the Bug Bounty program.

• Acts that infringe on the rights of others or other illegal acts in violation of laws and regulations
• Scanning services with automated programs
• DoS (Denial of Service) attacks or acts that interfere with normal service operations (Revised September 22, 25)
• Physical attacks on your company's assets or data centers
• The act of viewing, deleting, modifying, and disclosing the user's data using the found vulnerability
•  The act of reading, deleting, modifying, and disclosing the source code, etc. using the found vulnerability
• Infringement of personal information, deterioration of user experience, and interruption of  the operating system (Added October 4, 24)
• Prioritizing disclosure of discovered vulnerabilities (Added October 4, 24)
• Intentionally infringes upon intellectual property rights or other commercial or financial interests (Added October 4, 24)
• Submitting large quantities of low-quality reports (Added October 4, 24)
• The act of accessing, deleting, modifying, or disclosing company assets by exploiting discovered vulnerabilities (Added September 22, 25)
• Disclosing discovered vulnerabilities externally without the company's consent (Added September 22, 25)
• Using discovered vulnerabilities for malicious purposes (Added September 22, 25)
• Unauthorized system access (Added September 22, 25)
• Crawling to collect program information, reports, or participant information (Added September 22, 25)
• Reproducing, disassembling, imitating, or otherwise modifying the service through reverse engineering, decompilation, disassembly, or any other form of processing (Added September 22, 25)
• Installing or distributing programs such as malware or viruses, whether intentionally or negligently (Added September 22, 25)
• Distributing false information with the intent to gain financial benefit for oneself or others, or to cause harm to others (Added September 22, 25)
• Other acts contrary to the purpose and purpose of this program

2. The company may disqualify participants who violate the preceding paragraph from participating in this program and will be excluded from the reward. In such cases, the participant shall bear responsibility for any damages incurred. Furthermore, the company may notify relevant government agencies or judicial authorities of the participant's prohibited acts if necessary. (Revised September 22, 25)

3. The following cases are excluded from the evaluation and reward targets.

• When a vulnerability report is received, the vulnerability is not reproduced
• Even if the vulnerability is reproduced at the time of receipt of the vulnerability report, if the vulnerability is recognized within the Genians (e.g., if it is known but has not been corrected, in this case, a full explanation of the circumstances and timing found inside is provided)
• Vulnerability in many ways to disable agents (stop, shut down, delete, etc.) (Revised September 1, 23)
• Vulnerabilities that are not manifested when performing security updates of essential elements (OS, framework, etc.) required for product operation, or vulnerabilities that occur only by changing them
• Obtaining information on the server through unnecessary actions other than proof of vulnerability
• Vulnerabilities reported by other reporters first, vulnerabilities already reported elsewhere (KISA, etc.), and vulnerabilities already publicly known (3rd party related OSS vulnerabilities, etc.) (Revised May 6, 24)
• If security updates cannot be developed, such as discontinued products
• If the reported information is false, exaggerated, or unclear and the vulnerability cannot be identified, if it is an incomplete vulnerability that presents only possibilities without proof
• Where the contents related to consent of the report are arbitrarily tampered with and reported
• Where the exercise of the reporter's copyright on the report vulnerability information is specified
• Denial-of-Service (Dos)-related Vulnerabilities (Revised May 6, 24)
• Vulnerabilities based on excessive user intervention or extreme scenarios (such as a PC already compromised via registry modifications, malware, or situations where the session ID has been stolen) (Revised September 22, 25)
• Turn off security and create a vulnerability
• In the case of vulnerabilities that can cause very little damage or with very low ripple effects that do not require the use of reported vulnerabilities on the attacker's side for exploitation
• In addition to the technical vulnerabilities specified in the Terms and Conditions, matters relating to privacy protection (added on 1 January, 23)
• Vulnerability that only affects you (Self XSS, if you can only attack yourself by modulating your own packet) (added January 1, 23)
• In the following cases 
  - Administrator page exposure, debugging response exposure, clickjacking, page modulation using error pages, server application information exposure, security/CSP header related, cookie theft due to SSL non-application (added January 1, 23)
  - Reflected XSS, HSTS Not Enforced, Man in the Middle (MITM), DNS Record Not Enforced, User Enumeration Vulnerability (added May 6, 24)
• Any scripting attacks on web pages with intentional script testing capabilities (added April 6, 23)
• Vulnerabilities discovered by scanning tools (added May 6, 24)
• Vulnerabilities that only appear with developer mode enabled (added May 6, 24)
• Vulnerabilities using phishing (including social engineering techniques to trick users) or URL redirection (added May 6, 24)
• Due to internal reasons, Cross-Site Request Forgery (CSRF) vulnerabilities affecting the https://my.genians.com/ (CSM) will not be accepted for reporting until December 31, 2025. (added September 22, 25)
• Other vulnerabilities judged to be low or no security threat (corrected on January 1, 23)

Article 8 (License of Rights and Submissions)

1. Participants have the authority to modify, process, and duplicate the subject of reporting under Article 3 to the extent necessary to participate in this program.

2. In the event that a participant has invented, created, or written (hereinafter referred to as "invention"), all rights, including copyright, are transferred to the company as soon as the participant submits the vulnerability to the company via e-mail, and the company can freely exercise and dispose of the rights.

3. Understand and acknowledge that Genians may develop similar or identical material to the Participant's submission, and waive any claims that may arise due to similarity to the Participant's submission.

4. Guarantees that the participant's submission is his or her work, that he or she has not used information owned by another person or organization, and that he or she has a legal right to provide the submission to Genians.

5. If an invention, etc. is a work, the participant shall not claim or exercise the copyright on the work against the company and the person designated by the company.

Article 9 (Handling confidential information of submissions received)

1. Participants shall treat vulnerabilities and information (details on how to attack, etc.) as confidential information and may not be disclosed to third parties except us for any purpose after reporting.

2. If the contents of the report are written differently from the facts, or if the vulnerability is disclosed to a third party other than us (external conference announcement, etc.), the following disadvantages may be incurred if it is found to have violated confidentiality obligations.

• Exclusion from evaluation and reward for one year from the date of disclosure
• Where a reward has already been received due to the vulnerability, the cancellation of the reward, full recovery of the reward for payment, and legal action.

Article 10 (Handling of Personal Information)

1. The company strives to protect participants' personal information as prescribed by related laws such as the Personal Information Protection Act.

2. The company uses the personal information (name, email, contact information, affiliation, address, and information necessary for remittance (account number, etc.) provided by the participants in this program for smooth use and other necessary affairs.

3. The company determines the reward for the vulnerability that the participant last reported and holds the personal information received from the participant for three years from the date of payment or for the holding period under related laws such as the Income Tax Act.

Article 11 (Scope of Liability and Damages) (Revised September 22, 25)

1. Participants take part in this program at their own responsibility, and the company shall not be held liable for any damages incurred by participants from their participation in the program, unless such damages are caused by the company’s willful misconduct or negligence. Furthermore, the company shall not be involved in any disputes arising between participants or between participants and third parties. Such disputes must be resolved at the participant's own responsibility and expense. (Revised September 22, 25)

2. If a participant violates these Terms and Conditions, or if the Company suffers damages, or if a third party files an objection or claim for damages against the Company due to the participant's illegal acts or infringement of third-party rights while using the services provided by the Company, the participant shall indemnify the Company at their own expense and liability and shall compensate the Company for all damages incurred (including direct and indirect damages). (Added September 22, 25)

Article 12 (Change of Terms and Conditions)

1. The Company may change the contents of these Terms and Conditions to the extent that it does not violate the relevant laws and regulations.

2. If the company changes these terms and conditions, it shall specify the application date and notify it on the website at least one week before the application date.

3. If the company announces the revised terms and conditions in accordance with the preceding paragraph and receives a vulnerability report after the application date, the participant shall be deemed to have agreed to the revised terms and conditions.

Article 13 (Compliance Act and jurisdiction)

1. The company hopes that there will be no dispute. However, in the event of a dispute, the participants and the company agree to settle it informally for 60 days.

2. Litigation filed between the company and the participant is the governing law of the Republic of Korea, and the competent court for litigation related to disputes between the company and the participant is determined in accordance with the Civil Procedure Act.

3. In the case of a participant with an address or residence abroad, a lawsuit concerning a dispute between the company and the participant shall be the competent court of the Seoul Central District Court of the Republic of Korea, notwithstanding the preceding paragraph.

Article 14 (Inquiry about this program)

All inquiries about the Genians Bug Bounty program are accepted at bugbounty@genians.com and no other inquiries are accepted.

• Vulnerability Disclosure Program Policy Revision and Application Date: 2025-09-22