Vulnerability Disclosure Policy & Bug Bounty Program
Together, More Secure.
Effective Date: October 24, 2024. >> Learn More
Genians, Inc. is committed to protecting information to ensure the security of everyone. This Vulnerability Disclosure Policy provides clear guidance to the cybersecurity research community and the general public (security researchers) for conducting good faith vulnerability discovery activities and provides guidance on how to submit discovered vulnerabilities to us.
This policy describes what systems and ways of research are covered under this policy, bug bounty program, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.
We want security researchers to feel comfortable reporting vulnerabilities they find as outlined in this policy so we can fix them and keep our users safe. We developed this policy to uphold our responsibility to security researchers who share their expertise with us in good faith.
Authorization
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized we will work with you to understand and resolve the issue quickly, and Genians, Inc.will not actively pursue legal action related to your research.
If a third party takes legal action against you for activities that were conducted in accordance with this policy, we will notify the third party of this authorization.
Bug Bounty Program
We have a bug bounty program that offers rewards for reporting vulnerabilities.
Please report vulnerabilities via the bug bounty platform or google form below.
Operating Background
Bug Bounty is a system that pays bounties to those who discover vulnerabilities in software or web services.
Major global companies are operating bug bounty to discover vulnerabilities in their products and services and to strengthen security, and some companies are also operating their own bug bounty.
In addition, Korea’s National Cyber Security Center (NCSC), Korea Internet & Security Agency (KISA), and Financial Security Institute (FSI) operate security vulnerability reporting and reward systems to prevent intrusion accidents that exploit vulnerabilities, and Genians participates in the reporting and reward system operated by KISA and FSI.
Vulnerability reporting and reward process
1. Security Vulnerability Reporting
We will notify the reporter when a vulnerability report submitted using the bug bounty platform or Google Forms has been verified. (We do not support PGP-encrypted emails.) To help us triage and prioritize submissions, we recommend that your reports:
- Describe the location where the vulnerability was discovered and the potential impact of exploitation.
- Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots, videos are helpful).
- You are welcome to inquire about the status of the process, but please avoid contacting us more than once every 14 days so that our team can focus on your report as much as possible.
When you share your contact information with us, we commit to coordinating with you as openly and quickly as possible.
- To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
- We will maintain an open dialogue to discuss issues.
- Information submitted under this policy will be used for defensive purposes only –to mitigate or remediate vulnerabilities.
- We will not share your name or contact information without express permission.
Note) If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely Genians, Inc,we may share your report with the relevant organizations and companies, where it will be handled under their coordinated vulnerability disclosure process.
2. Validate Report
Once you submit a vulnerability, we’ll confirm receipt of your report within 3 business days.
Genians will check the basic information of the reported vulnerability and determine whether it is a new vulnerability.
If we are unable to verify the report, we may request supplementary information, and if it is not a new vulnerability, we will determine whether it is and provide feedback to the reporter.
3) Assessment / Patch
Genians conducts vulnerability assessments based on the assessment criteria for vulnerabilities determined to be emerging and patches products and services to address the vulnerability.
Provide feedback to the reporter on whether the vulnerability has been patched (end of each month).
However, if the severity of the vulnerability is High or higher, you may request a follow-up check after the patch.
A follow-up check is when we ask you to confirm that the vulnerability has been patched.
4) Rewards Period
The reward is finalized, and when a vulnerability patch is confirmed, we notify you and pay the reward.
However, if the vulnerability is not patched, the reward will be paid in the next month after 60 days from the date of receipt of the report.
Additionally, for vulnerabilities that require a follow-up check, rewards are paid after a follow-up check is confirmed.
Policy
Participants who wish to participate in this bug bounty program and receive rewards must agree to the following terms and conditions, and if you report a vulnerability, you are deemed to have agreed to the following terms and conditions.
This policy explains vulnerability reporting and reward process, and reward payment standards.
FAQ
For answers to some of the most frequently asked questions about bug bounty, see the following.
Vulnerability Disclosure
Genians, Inc.is committed to timely correction of vulnerabilities. However, we recognize that public disclosure of a vulnerability in absence of a readily available corrective action likely increases versus decreases risk.
We may share vulnerability reports with relevant organizations and any affected companies. We do not share security researchers’ names or contact data without their explicit permission.
We responds to vulnerabilities such as cyber security incidents/infringements by registering CVEs and posts notices on the page below.
Genian NAC / ZTNA
- https://docs.genians.com/nac/5.0/release/en/advisories/advisories.html
- https://docs.genians.com/nac/6.0/release/en/advisories/advisories.html
In addition, if our products are affected by a vulnerability that has a high impact and impact on other SW that is included in our products (such as Open Source Software, etc.), we also posts notices of the vulnerability.
Questions
Questions regarding this policy may be sent to bugbounty@genians.com. We also invite you to contact us with suggestions for improving this policy.