Skip to main content

Vulnerability Disclosure Policy

How to report a security issue to eSolia, and what to expect

On this page 8

At a Glance

  1. Report to hello@esolia.co.jp
  2. Good-faith research welcome (safe harbor)
  3. No monetary bounty
  4. Recognition with your permission

Updated: 18 June 2026

eSolia welcomes reports of security vulnerabilities in the systems we operate. We value the work of security researchers and are committed to working with you to verify and resolve issues quickly. This policy explains how to report, what is in scope, and what you can expect from us.

This is our public vulnerability disclosure policy (VDP) referenced by our security.txt. For our broader site security overview, see Website Security; for our corporate ISO/IEC 27001 policy, see the Information Security Policy.

How to report

  • Email: hello@esolia.co.jp — our documented security contact (see security.txt). Put "Security Vulnerability" in the subject.
  • Or: our contact form with "Security Vulnerability" in the subject.
  • Encryption / languages: we read English and Japanese. If you need to share sensitive details securely, say so in your first message and we'll arrange a channel.

Please include:

  • A clear description of the issue and its potential impact
  • Steps to reproduce (proof-of-concept, requests, or screenshots)
  • The affected URL, endpoint, or component
  • How you'd like to be credited (see Recognition)

Scope

In scope — systems eSolia operates, including:

  • esolia.co.jp and its subdomains that we operate
  • Our public web applications and APIs hosted under those domains

Out of scope:

  • Third-party services and platforms we use but do not operate (report those to the respective vendor)
  • Our clients' systems and any non-eSolia property
  • Findings that require physical access, social engineering of our staff or customers, or compromised credentials
  • Denial-of-service (DoS/DDoS), volumetric or automated scanning, and load/stress testing
  • Reports based solely on automated-scanner output without a demonstrated, realistic impact
  • Best-practice suggestions with no concrete security impact (e.g. missing headers with no exploit) — welcome, but triaged as informational

If you're unsure whether something is in scope, ask first.

Safe harbor

We will not pursue or support legal action against you for security research conducted in good faith and in accordance with this policy. Specifically, if you:

  • Make a good-faith effort to avoid privacy violations, data destruction, and service disruption;
  • Only interact with accounts you own or have explicit permission to test;
  • Do not access, modify, or retain data beyond the minimum needed to demonstrate the issue;
  • Give us a reasonable opportunity to remediate before disclosing publicly; and
  • Do not exploit the issue beyond proof-of-concept,

then we consider your research authorized, and we will work with you rather than against you. If legal action is initiated by a third party against you for activity conducted consistent with this policy, we will make this authorization known.

What we ask

  • Don't break things or access others' data. Stop at proof-of-concept.
  • Keep it confidential until we've had a reasonable chance to fix it. We aim to agree on a coordinated timeline with you.
  • One issue per report, with enough detail for us to reproduce it.

No monetary bounty

eSolia does not operate a paid bug-bounty program, and there is no monetary reward for reports. We will not negotiate payment for vulnerability information. What we offer instead is prompt, respectful handling and public recognition (below) if you'd like it.

Recognition

With your permission, we're glad to credit you on our security acknowledgments list, which is referenced from our security.txt. You can choose:

  • The name to display, and
  • Optionally, one link beside your name (e.g. a GitHub or HackerOne profile). For your privacy and ours, outbound links are published with rel="nofollow".

Name-only is fine, and you may decline recognition entirely. We list researchers for reports we have verified and resolved, and with explicit consent.

What to expect from us

  • Acknowledgment: we aim to confirm receipt within 24 hours (business days; we're based in Japan, JST).
  • Triage: we'll verify the report and let you know whether we can reproduce it.
  • Resolution: we'll keep you updated through remediation and, if you wish, invite you to retest the fix.

Changes

We may update this policy. The current version date appears at the top of this page, and the canonical machine-readable pointer lives in our security.txt.

Site Security & Disclosure Accessibility Statement

Get in Touch

Have questions? Contact us or reach out directly below.

Head Office

1-5-2 Higashi-Shimbashi, Minato-ku

Shiodome City Center 5F (Work Styling), Tokyo 105-7105

Email
hello@esolia.co.jp
Telephone
+813-4577-3380
FAX
FAX +813-4577-3309