The purpose of this document is to outline the terms and conditions under which we will pay bounties; for ethically reported bugs.
Keeping user information safe and secure is a top priority and a core principle at Ricoh. We welcome the contribution of external security researchers and look forward to awarding them for their invaluable contribution to the security of all Ricoh employees and users.
Ricoh provides rewards to vulnerability reporters at its discretion. Our minimum reward is $50 USD. Reward amounts may vary depending upon the severity of the vulnerability reported and quality of the report. Keep in mind that this is not a contest or competition. Below listed are the usual rewards for vulnerabilities affecting the key Ricoh applications and products.
Applications in Scope
Eligibility and Responsible Disclosure
To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you:
We only reward the first reporter of a vulnerability. Public disclosure of the vulnerability may cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.
We will not negotiate in response to duress or threats (e.g., we will not negotiate the payout amount under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).
The following issues are outside the scope of our rewards program:
Notes on SSRF Submissions
Before submitting an SSRF report, please ensure that the response you are receiving is neither:
Either of these responses usually indicate that your request was blocked and is not a valid SSRF.
Consequences of Complying with This Policy
We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.
If legal action is initiated by a third party against you and you have complied with Ricoh’s Bug Bounty policy, Ricoh will take steps to make it known that your actions were conducted in compliance with this policy.
The Fine Print
You are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time. We will not apply any changes we make to these program terms retroactively. Reports from individuals who we are prohibited by law from paying are ineligible for rewards. Ricoh employees and their family members are not eligible for bounties.
How to make a Report
All reports should be sent to BugBountyReporting@ricoh-usa.com.
Note: This email is not for the reporting of RICOH hardware related vulnerabilities.
Use the following format for all submissions:
Except as otherwise stated, there are no exceptions to this policy.
Procedure Retention Period: Permanently, or until superseded.
Revision/Review Cycle: Annual
Note that this policy/procedure can be revised at any time by the owner or other authorized party. The time period noted here established the maximum time that can elapse since issue date before the procedure is at least reviewed for accuracy and relevancy.
Revision Date: 01-2021