Vulnerability Disclosure Policy

  1. Vulnerability Disclosure Policy

    ・Introduction

    Bandai Co., Ltd (“Bandai”) is committed to ensuring the security of our product and service, based on the recognition that ensuring the security of our products and services is of critical importance to us in building trust and confidence with our customers.

    This Vulnerability Disclosure Policy sets forth our commitments to and procedures for disclosure of potential security vulnerabilities to Bandai.

    This vulnerability disclosure policy applies to your report to us concerning any security vulnerabilities. Please ready this Vulnerability Disclosure Policy carefully before you report any security vulnerability and comply with it.

    ・Scope

    This Vulnerability Disclosure Policy only applies to the vulnerabilities in the following products and services (the “Digital Products”):

    • Internet/network-connectable products and related services of BANDAI

    The corporate websites listed below are out of scope of this vulnerability disclosure program.
    For Example:

    • *.bandai.co.jp
    • *.bandaispirits.co.jp
    • *.bandai-hobby.net
    • *.bandainamcoid.com
    • *.bandainamcoent.com
    • *.bandainamco-am.co.jp
    • We cannot respond to reports that are out of scope.
    ・How to report Security vulnerability

    If you would like to report a potential security vulnerability regarding the internet-based products and related services of Bandai, please go to the link below and report it.

    Please note that we cannot respond to any inquiry other than those related to the security vulnerability of Bandai products or related services.

    When reporting a potential security vulnerability, please include the following information:

    • Product name and version containing the suspected weakness / vulnerability (e.g., Product code such as EAN, JAN and/or UPC, 7-digit item code number on the product, product name, location of purchase);
    • Environment or system information under which the issue was reproduced (e.g., - product model number, operating system version, and other related information);
    • Common Weakness Enumeration (CWE) and Type and/or class of vulnerability (e.g., Cross-site Scripting, buffer overflow, denial of service, remote code execution);
    • Step-by-step instructions to reproduce the vulnerability;
    • Proof-of-concept or exploit code;
    • Potential impact of the vulnerability.
    ・How we handle security vulnerability disclosure

    After you have submitted your report, we will respond to you within 5 business days and thereafter we will keep you updated on the progress every 30 days or more often.

    ・Legalities

    This Vulnerability Disclosure Policy is designed to be compatible with common vulnerability disclosure good practice. It will not give you any permission to act in any manner that is inconsistent with the applicable laws or restrictions, or which might cause Bandai, or its affiliated companies to be in breach of any of its legal obligations.

    As a part of the submission process, please do not submit any personally data, or upload any documents that contain personally identifiable information. This includes, but is not limited to, resumes, photos of yourself or others, the precise geographical location, or anything containing confidential or proprietary information (ideas, concepts, know-how, techniques, etc.) not relevant to the security vulnerability.