Genians, Inc. ("Company" or "Genians") implements the Genians Bug Bounty Program ("Program") which rewards reporting vulnerabilities in Genians products and services. Participants wishing to participate in this Bug Bounty Program and receive a reward must agree to these Terms and Conditions, and if they report a vulnerability, they will be deemed to have agreed to these Terms and Conditions.
Article 1 (Introduction)
The program aims to quickly identify vulnerabilities in Genians products to provide customers with secure products and services and to compensate ("compensate") for reported vulnerabilities at Genians' discretion. These terms and conditions are subject to change at any time, and you agree to the new terms and conditions when you join the program after the change.
Article 2 (Qualification and Method of Participation)
1. You can participate in this program if you meet all of the following criteria.
- You must not be an employee of Genians, and retired executives and employees can participate after one year of retirement.
- Participants must be able to communicate in Korean or English.
2. Participants will pay for all expenses required to participate in this program, and any necessary contact regarding the operation of this program will be made through the participant's e-mail.
3. If you discover any actual or potential security issues, please notify us as soon as possible. (Added October 4, 24)
4. If any vulnerabilities exist or any sensitive data (including personally identifiable information, financial information, proprietary information of any party, or trade secrets) is discovered, you must stop testing, notify us immediately, and do not disclose this data to anyone else. (Added October 4, 24)
Article 3 (To be reported)
1. Products and services subject to this program are as follows. (We plan to expand the scope of reporting over time.) (Revised October 4, 24)
- NAC Products: Genian NAC V4.* or above
- Cloud NAC CSM service : https://my.genians.com
- Genian Device Platform Intelligence API : https://pi-api.genians.com/pi/v1/apidocs/ (added June 1, 23)
- Genians company website : https://www.genians.com (Added October 4, 24)
2. All services not explicitly listed, such as those in the reporting items above, are excluded from reporting and we do not have permission to test them. If you are unsure whether your system is in scope, or if you have a specific system that is not included in this report that you believe needs testing, please contact us before beginning your investigation. (Added October 4, 24)
3. If you report a vulnerability to a product or service that is not covered by the program at the time of reporting, you will not be able to receive a reward even if the product or service is added to the program later.
4. Vulnerabilities outside of Genians products and services are not eligible for evaluation and rewards
due to concerns of facilitating illegal hacking and lack of verification under the relevant law. (Added October 4, 24)
Article 4 (Period and Method of Reporting)
1. This program will be held at all the time. However, Genians may terminate the Program as required without prior notice.
2. If there is a vulnerability reported by the participant prior to the end of this program under the proviso to the preceding paragraph, the company will review it and notify the results even after this program is terminated.
3. Participants should report vulnerabilities in the manner guided by Genians. Vulnerabilities reported by other means are excluded from the reward payment.
4. Membership Registration URL for CSM Bug Bounty. (Added October 4, 24)
- If you report a vulnerability without registering as a member through the URL, you may be
excluded from the reward. - Membership registration for CSM bug bounty
Article 5 (Reward)
1. Genians determines the amount of reward at the company's discretion, depending on the severity of the reported vulnerability.
2. Based on the international standard for evaluating security vulnerabilities (CVSS 3.1) in terms of
the spread of vulnerabilities, the evaluation score is calculated by considering the attack impact and
difficulty. The evaluation criteria are as follows. (Added October 4, 24 - Evaluation Standard)
Large Category | Sub Category | Description |
Exploitability | Attack Vector(AV) | Degree of accessibility of the attack path |
Attack Complexity(AC) | Prerequisites for acquiring attackers, such as system configuration and attribute settings | |
Privileges Required(PR) | Privilege level required by an attacker to exploit a vulnerability | |
User Interaction(UI) | Requirements that users must perform to exploit vulnerabilities | |
Scope of Influence | The extent to which it can affect other permissions or resources beyond the vulnerable components | |
Attack Impact | Confidentiality Impact(C) | Degree of impact in terms of confidentiality on the product |
Integrity Impact(I) | Degree of impact in terms of integrity on the product | |
Availability Impact(A) | Degree of impact in terms of availability on the product |
3. Based on the calculated CVSS score, the reward amount is based on the following criteria. (Revised September 1, 23)
CVSS Score | Level of Severity | Rewards (KRW,WON) |
9.0~10.0 | Critical | 5,400,000 ~ 9,000,000 |
7.0 ~ 8.9 | High | 2,520,000 ~ 3,600,000 |
4.0 ~ 6.9 | Medium | 720,000 ~ 1,800,000 |
0.1 ~ 3.9 | Low | 240,000 ~ 480,000 |
※ However, the table above is not guaranteed like the reward amount listed as indicating the reference amount according to the vulnerability evaluation score.
※ For foreigners who are required to pay their rewards in dollars, the reward will be paid at the KRW to USD exchange rate (added on August 1, 23)
4. Even if you are excluded from the reward pursuant to Article 7(3), souvenirs or gifticons may be provided.(added January 1, 23)
Article 6 (Review of submissions and reward procedures)
1. When a vulnerability report is received, the company has sole discretion to review the submissions, verify their eligibility, and determine which submissions are eligible. Review time depends on the complexity and completeness of the submission and the number of submissions received.
2. When the company receives a report of a similar vulnerability from the same participant, it considers a vulnerability that is judged to be the same vulnerability even if it has been filed with multiple vulnerability reports as one vulnerability.
3. If multiple submissions are received for the same vulnerability from other participants, a reward will be given to the first eligible submission. However, if a duplicate report provides new information that was previously unknown to Genians, the reporter who submitted the duplicate report can be rewarded.
4. The company notifies the participant through the reporter's e-mail when it is determined whether or not the vulnerability reported by the participant is eligible for a reward. If it is determined that the reported vulnerability is eligible for Bug Bounty according to the conditions, the reward amount is notified and the necessary documents are requested for payment.
5. Participants must immediately provide valid and reliable information (hereinafter referred to as "information") necessary for the payment of the company's designated reward when they are asked to provide information through their email account. If the participant did not provide information within 14 days of the company's request, he/she shall be deemed to have waived the right to receive the reward. The bank transfer fee for transferring the reward is borne by the company.
- Participants with Korean bank accounts: The reward amount will be paid to Korean bank accounts in Korean won.
- Participants with foreign bank accounts: The reward amount will be paid to foreign bank accounts in dollars
6. The bank account required to receive the reward is limited to the participant's own, and the name of the account holder and the name included in the information in the preceding paragraph must be the same.
7. The participant pays the tax on the reward, and the company pays the reward after deducting the amount in accordance with the tax policy of the country to which the participant belongs.
8. In the following cases, the company's obligation to pay rewards shall expire.
- If the company sends a message to the participant's e-mail address but the participant does not respond within 14 days (including any errors when entering the e-mail address, etc.)
- If the participant fails to receive all or part of the reward (including information errors, banking system failures, and participants who are subject to economic sanctions) despite proper remittance procedures based on the information received from the participant
9. Participants must not transfer or provide the right to receive the reward to a third party as collateral.
10. If a participant is found to have violated these terms and conditions, the company may refuse to pay the reward or request the return of the reward paid to the participant.
11. Bounties for reports that are confirmed as vulnerabilities will be paid on the last day of the
month following the month in which the vulnerability is confirmed to be patched or remediated.
However, if the vulnerability is not patched, the bounty will be paid on the last day of the month
following the date that is 60 days after receipt of the report. (added September 1, 23)
12. For reports with a vulnerability severity rating of High or higher, the company may request the
participant to perform an implementation check after patching. Participants who do not reply with
the results of the implementation check within two weeks of the request may not receive a reward.
(added September 1, 23)
Article 7 (Conditions excluding prohibited matters and rewards)
1. Participants should not do the following while participating in the Bug Bounty program.
- Acts that infringe on the rights of others or other illegal acts in violation of laws and regulations
- Scanning services with automated programs
- Denial of Service (DoS) attacks that impose a load on the service
- Physical attacks on your company's assets or data centers
- The act of viewing, deleting, modifying, and disclosing the user's data using the found vulnerability
- The act of reading, deleting, modifying, and disclosing the source code, etc. using the found vulnerability
- Infringement of personal information, deterioration of user experience, and interruption of the operating system (Added October 4, 24)
- Prioritizing disclosure of discovered vulnerabilities (Added October 4, 24)
- Intentionally infringes upon intellectual property rights or other commercial or financial interests (Added October 4, 24)
- Submitting large quantities of low-quality reports (Added October 4, 24)
- Other acts contrary to the purpose and purpose of this program
2. The company may disqualify participants who violate the preceding paragraph from participating in this program and will be excluded from the reward.
3. The following cases are excluded from the evaluation and reward targets.
- When a vulnerability report is received, the vulnerability is not reproduced
- Even if the vulnerability is reproduced at the time of receipt of the vulnerability report, if the vulnerability is recognized within the Genians (e.g., if it is known but has not been corrected, in this case, a full explanation of the circumstances and timing found inside is provided)
- Vulnerability in many ways to disable agents (stop, shut down, delete, etc.) (Revised September 1, 23)
- Vulnerabilities that are not manifested when performing security updates of essential elements (OS, framework, etc.) required for product operation, or vulnerabilities that occur only by changing them
- Obtaining information on the server through unnecessary actions other than proof of vulnerability
- Vulnerabilities reported by other reporters first, vulnerabilities already reported elsewhere (KISA, etc.), and vulnerabilities already publicly known (3rd party related OSS vulnerabilities, etc.) (Revised May 6, 24)
- If security updates cannot be developed, such as discontinued products
- If the reported information is false, exaggerated, or unclear and the vulnerability cannot be identified, if it is an incomplete vulnerability that presents only possibilities without proof
- Where the contents related to consent of the report are arbitrarily tampered with and reported
- Where the exercise of the reporter's copyright on the report vulnerability information is specified
- Denial-of-Service (Dos)-related Vulnerabilities (Revised May 6, 24)
- Vulnerabilities that require too many user interventions or extreme user interventions (such as registry modifications) to be exploited
- Turn off security and create a vulnerability
- In the case of vulnerabilities that can cause very little damage or with very low ripple effects that do not require the use of reported vulnerabilities on the attacker's side for exploitation
- In addition to the technical vulnerabilities specified in the Terms and Conditions, matters relating to privacy protection (added on 1 January, 23)
- Vulnerability that only affects you (Self XSS, if you can only attack yourself by modulating your own packet) (added January 1, 23)
- In the following cases
- Administrator page exposure, debugging response exposure, clickjacking, page modulation using error pages, server application information exposure, security/CSP header related, cookie theft due to SSL non-application (added January 1, 23)
- Reflected XSS, HSTS Not Enforced, Man in the Middle (MITM), DNS Record Not Enforced, User Enumeration Vulnerability (added May 6, 24) - Any scripting attacks on web pages with intentional script testing capabilities (added April 6, 23)
- Vulnerabilities discovered by scanning tools (added May 6, 24)
- Vulnerabilities that only appear with developer mode enabled (added May 6, 24)
- Vulnerabilities using phishing (including social engineering techniques to trick users) or URL redirection (added May 6, 24)
- Other vulnerabilities judged to be low or no security threat (corrected on January 1, 23)
Article 8 (License of Rights and Submissions)
1. Participants have the authority to modify, process, and duplicate the subject of reporting under Article 3 to the extent necessary to participate in this program.
2. In the event that a participant has invented, created, or written (hereinafter referred to as "invention"), all rights, including copyright, are transferred to the company as soon as the participant submits the vulnerability to the company via e-mail, and the company can freely exercise and dispose of the rights.
3. Understand and acknowledge that Genians may develop similar or identical material to the Participant's submission, and waive any claims that may arise due to similarity to the Participant's submission.
4. Guarantees that the participant's submission is his or her work, that he or she has not used information owned by another person or organization, and that he or she has a legal right to provide the submission to Genians.
5. If an invention, etc. is a work, the participant shall not claim or exercise the copyright on the work against the company and the person designated by the company.
Article 9 (Handling confidential information of submissions received)
1. Participants shall treat vulnerabilities and information (details on how to attack, etc.) as confidential information and may not be disclosed to third parties except us for any purpose after reporting.
2. If the contents of the report are written differently from the facts, or if the vulnerability is disclosed to a third party other than us (external conference announcement, etc.), the following disadvantages may be incurred if it is found to have violated confidentiality obligations.
- Exclusion from evaluation and reward for one year from the date of disclosure
- Where a reward has already been received due to the vulnerability, the cancellation of the reward, full recovery of the reward for payment, and legal action.
Article 10 (Handling of Personal Information)
1. The company strives to protect participants' personal information as prescribed by related laws such as the Personal Information Protection Act.
2. The company uses the personal information (name, email, contact information, affiliation, address, and information necessary for remittance (account number, etc.) provided by the participants in this program for smooth use and other necessary affairs.
3. The company determines the reward for the vulnerability that the participant last reported and holds the personal information received from the participant for three years from the date of payment or for the holding period under related laws such as the Income Tax Act.
Article 11 (Immunity)
1. Participants participate in this program at their own responsibility, and the company shall not be responsible for any damage caused by participation in this program, except in cases where there is a reason attributable to them.
2. The Company shall not be involved in any dispute between the Participants or between the Participants and any third party involved in this Program, and the Participants shall resolve the dispute at their own responsibility and expense.
Article 12 (Change of Terms and Conditions)
1. The Company may change the contents of these Terms and Conditions to the extent that it does not violate the relevant laws and regulations.
2. If the company changes these terms and conditions, it shall specify the application date and notify it on the website at least one week before the application date.
3. If the company announces the revised terms and conditions in accordance with the preceding paragraph and receives a vulnerability report after the application date, the participant shall be deemed to have agreed to the revised terms and conditions.
Article 13 (Compliance Act and jurisdiction)
1. The company hopes that there will be no dispute. However, in the event of a dispute, the participants and the company agree to settle it informally for 60 days.
2. Litigation filed between the company and the participant is the governing law of the Republic of Korea, and the competent court for litigation related to disputes between the company and the participant is determined in accordance with the Civil Procedure Act.
3. In the case of a participant with an address or residence abroad, a lawsuit concerning a dispute between the company and the participant shall be the competent court of the Seoul Central District Court of the Republic of Korea, notwithstanding the preceding paragraph.
Article 14 (Inquiry about this program)
All inquiries about the Genians Bug Bounty program are accepted at bugbounty@genians.com and no other inquiries are accepted.
- Vulnerability Disclosure Program Policy Revision and Application Date: 2024-10-04