Our global information security team is working hard to protect Sony's information assets, services and products and the confidentiality of customer information. But we're always willing to accept more help. We recognize the valuable role that the research community plays in enhancing our security posture and welcome the opportunity to partner with you.
The Secure@Sony program accepts reports of bugs that provide a potential attacker with the ability to compromise the integrity, availability or confidentiality of Sony products, services or information technology infrastructure. Please see below for specific submission criteria.
If you believe you've found a qualifying security vulnerability in a Sony product or Web site, please submit a report in accordance with the guidelines below. We value the positive impact of your work and thank you in advance for your contribution.
The Secure@Sony team is interested in the following types of vulnerabilities:
Sony reserves the right to reject any submission that we, in our sole discretion, determine does not meet the above criteria. Submissions that require manipulation of data, network access, or physical attack against Sony offices or data centers and/or social engineering of our service desk, employees or contractors will not be accepted. Submissions that result in the alteration or theft of Sony data, or the interruption or degradation of Sony systems will not be accepted.
The following submissions are not accepted by Secure@Sony:
Once a report is resolved and closed, the researcher will receive a +1 count on their public profile under “Thanks Received” and be listed on Sony’s HackerOne webpage under “Hackers Thanked.” Sony is also pleased to recognize our security researchers by providing a “Secure@Sony Finder” t-shirt. Sony will use the mailing address provided to HackerOne to provide the t-shirt.
Sony will determine, in its sole discretion, whether recognition will be provided, and Sony will only recognize the first researcher to have discovered a specific, and previously unreported, vulnerability. Sony holds the right to withhold recognition for researchers who in the past have violated the processes defined herein.
Sony is unable to provide a t-shirt if you are a resident of a country that faces United States export sanctions or trade restrictions. Sony assumes shipping costs of a “Finder” t-shirt to the vulnerability submitter. All other country and local taxes or fees are the responsibility of the researcher. All reward decisions by Sony are final.
If we conclude, in our sole discretion, that you have complied with the requirements below when reporting a security vulnerability, Sony will not pursue claims against you or initiate a law enforcement investigation in response to your report:
Violation of these requirements may result in permanent disqualification from the program.
Any activity determined to involve the intentional compromise of the privacy of our customers or employees or the intentional disruption of the operation of our products, services or IT infrastructure will result in permanent disqualification from the program.
We may collect information that could reasonably be used to identify you (e.g., IP address). Sony uses this information to evaluate a reported vulnerability and protect Sony products, services or information technology infrastructure.
Sony reserves the right to modify or terminate this program at any time.
Security vulnerabilities that are identified in Sony products or in website domains owned, operated, or controlled by Sony are in scope.