Custom Media

Corporate Profile

Terms of Use

Privacy Policy

Declaration regarding Elimination of Anti-Social Forces

Fraud Alert: Protecting Voice Actors and Creative Freelancers from Impersonation Scams

Security Vulnerability Reporting

If you believe you’ve found a security vulnerability in one of our web properties, we’d like to hear about it. This page explains how to report it and what to expect from us.

Who we are

Custom Media K.K. is a B2B marketing agency based in Tokyo, operating two brands — Custom Media and AIM B2B — under a single legal entity. This policy covers both.

How to report

Email security@custom-media.com with:

  • The affected URL or system
  • A clear description of the issue
  • Steps to reproduce, if you have them
  • Your name or handle, if you’d like to be credited

Reports are monitored by our CTO and COO. We read every message.

If the report is sensitive, mention it in your first email and we’ll reply with a secure channel.

What we’ll do

  • Acknowledge your report within five business days
  • Assess the technical merit on its own, regardless of how it was found
  • Fix valid issues through our standard remediation process
  • Credit you publicly if you’d like, once any fix is in place

What we won’t do

We don’t pay for vulnerability reports. We don’t operate a paid bug bounty program. If you’re looking for a payout, this isn’t the right channel — please don’t send a report expecting one.

We also won’t:

  • Confirm or deny specific findings in writing during assessment
  • Share details about our internal scanning, infrastructure, or remediation timelines
  • Provide ongoing status updates on individual reports

This isn’t personal — it’s how responsible disclosure works. Confirming exploitability in writing can be misused, and we keep our internal security posture private.

Good-faith research

If you research in good faith — meaning you don’t access data beyond what’s needed to prove the issue, don’t disrupt our services, don’t extort us, and give us a reasonable window to fix things before publishing — we won’t pursue legal action against you.

In scope

  • custom-media.com and subdomains we operate
  • AIM B2B web properties we operate
  • Client-facing systems that we host directly

Out of scope

  • Third-party platforms we use but don’t control (HubSpot, Google services, Kinsta hosting infrastructure, Meta, and similar) — please report those to the vendor directly
  • Social engineering of our staff, clients, or partners
  • Physical attacks against our office or staff
  • Denial-of-service or volumetric attacks
  • Findings that require already-compromised credentials or devices
  • Reports generated by automated scanners with no demonstrated impact
  • Self-XSS or issues that require the victim to paste attacker-controlled code into their own browser
  • Missing security headers, weak SSL configurations, or other best-practice findings without a concrete exploit path

Payment requests and threats

Reports that lead with a payment request, demand cryptocurrency, gift cards, or vouchers, or threaten public disclosure or regulatory complaints will be closed without engagement. We assess the technical claim on its merits and act if there’s a real issue — but we won’t be pressured into paying or negotiating.

Languages

We accept reports in English and Japanese.