Banner object (1)

Hack and Take the Cash !

844 bounties in database
  Back Link to program      
Sony logo
Hall of Fame


Our global information security team is working hard to protect Sony's information assets, services and products and the confidentiality of customer information. But we're always willing to accept more help. We recognize the valuable role that the research community plays in enhancing our security posture and welcome the opportunity to partner with you.

The Secure@Sony program accepts reports of bugs that provide a potential attacker with the ability to compromise the integrity, availability or confidentiality of Sony products, services or information technology infrastructure. Please see below for specific submission criteria.

If you believe you've found a qualifying security vulnerability in a Sony product or Web site, please submit a report in accordance with the guidelines below. We value the positive impact of your work and thank you in advance for your contribution.

Qualifying Vulnerabilities

The Secure@Sony team is interested in the following types of vulnerabilities:

  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Unauthorized Cross-Tenant Data Tampering or Access (for multi-tenant services)
  • Insecure Direct Object References
  • Injection Vulnerabilities
  • Authentication Vulnerabilities
  • Server-Side Code Execution
  • Privilege Escalation
  • Significant Security Misconfiguration (when not caused by user)
  • Directory Traversal
  • Information Disclosure
  • Open Redirects
  • Sony Product Vulnerabilities (specific to the Sony designed/controlled components of the product)

Sony reserves the right to reject any submission that we, in our sole discretion, determine does not meet the above criteria. Submissions that require manipulation of data, network access, or physical attack against Sony offices or data centers and/or social engineering of our service desk, employees or contractors will not be accepted. Submissions that result in the alteration or theft of Sony data, or the interruption or degradation of Sony systems will not be accepted.

Non-Qualifying Vulnerabilities

The following submissions are not accepted by Secure@Sony:

  • Clickjacking
  • Logout Cross-Site Request Forgery
  • Involvement of Sony products or corporate technology in Denial of Service attacks [Note: Submissions of specific vulnerabilities will be considered in accordance with the Qualifying Vulnerabilities described above]
  • Descriptive Error Messages
  • Fingerprinting/Banner disclosure on common public services
  • Lack of secure/HTTPOnly flags
  • HTTP Methods
  • SSL Attacks, such as BEAST/BREACH
  • Subdomain takeovers without a complete proof of concept
  • Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML
  • CMS Application updates within 5 business days of release (e.g., WordPress security releases)
  • Bugs requiring exceedingly unlikely user interaction (e.g., requiring a user to manually type in an XSS payload)
  • Vulnerabilities related to networking protocols or industry standards not controlled by Sony, including flaws that impact outdated browsers and plugins
  • Any Sony-developed software/hardware that is End of Life or no longer supported
  • Any product vulnerability in which the vulnerability is in code or hardware not created, designed, or updated by Sony
  • Any product vulnerability that involves device modification or bypassing of security controls inherent to the device in a way that requires ownership, hardware modification, or direct device access
  • Any vulnerability obtained through the compromise of a Sony user or employee account


Once a report is resolved and closed, the researcher will receive a +1 count on their public profile under “Thanks Received” and be listed on Sony’s HackerOne webpage under “Hackers Thanked.” Sony is also pleased to recognize our security researchers by providing a “Secure@Sony Finder” t-shirt. Sony will use the mailing address provided to HackerOne to provide the t-shirt.

Sony will determine, in its sole discretion, whether recognition will be provided, and Sony will only recognize the first researcher to have discovered a specific, and previously unreported, vulnerability. Sony holds the right to withhold recognition for researchers who in the past have violated the processes defined herein.

Sony is unable to provide a t-shirt if you are a resident of a country that faces United States export sanctions or trade restrictions. Sony assumes shipping costs of a “Finder” t-shirt to the vulnerability submitter. All other country and local taxes or fees are the responsibility of the researcher. All reward decisions by Sony are final.

Legal Notice:

If we conclude, in our sole discretion, that you have complied with the requirements below when reporting a security vulnerability, Sony will not pursue claims against you or initiate a law enforcement investigation in response to your report:

  • You do not cause harm to Sony or our customers;
  • You make a good faith effort to avoid compromising the privacy of our customers or employees, or disrupting the operation of our products, services or IT infrastructure;
  • You do not violate any law;
  • Once you have confirmed a vulnerability, you report it in a timely manner and do not exploit it further;
  • To the extent that you have accessed non-public Sony information in the course of your research, you do not maintain copies of any such information or share any such information with any third party; and
  • You do not publicly disclose or share the vulnerability details without the written permission of Sony.

Violation of these requirements may result in permanent disqualification from the program.

Any activity determined to involve the intentional compromise of the privacy of our customers or employees or the intentional disruption of the operation of our products, services or IT infrastructure will result in permanent disqualification from the program.

We may collect information that could reasonably be used to identify you (e.g., IP address). Sony uses this information to evaluate a reported vulnerability and protect Sony products, services or information technology infrastructure.

Sony reserves the right to modify or terminate this program at any time.


Security vulnerabilities that are identified in Sony products or in website domains owned, operated, or controlled by Sony are in scope.

This program crawled on the 2018-02-26 is sorted as bounty.

FireBounty © 2015-2019

Legal notices