Our global information security team is working hard to protect Sony's information assets, services and products and the confidentiality of customer information. But we're always willing to accept more help. We recognize the valuable role that the research community plays in enhancing our security posture and welcome the opportunity to partner with you.

The Secure@Sony program accepts reports of bugs that provide a potential attacker with the ability to compromise the integrity, availability or confidentiality of Sony products, services or information technology infrastructure. Please see below for specific submission criteria.

If you believe you've found a qualifying security vulnerability in a Sony product or Web site, please submit a report in accordance with the guidelines below that includes a detailed description of your discovery with clear, concise reproducible steps or a working proof-of-concept.

When investigating vulnerabilities, avoid altering existing files, file permissions, reading sensitive information (e.g., /etc/shadow) or disrupting services. Do not utilize an identified vulnerability to pivot to other hosts or services. If sensitive information or personal information is encountered, immediately cease activities and report via the HackerOne portal where triage and Sony personnel can assist.

Reports of broken link hijacking without proof of significant potential impact to Sony will likely be closed as N/A

We value the positive impact of your work and thank you in advance for your contribution.

Qualifying Vulnerabilities

The Secure@Sony team is interested in the following types of vulnerabilities:

• Cross-Site Scripting (XSS)

• Cross-Site Request Forgery (CSRF)

• Unauthorized Cross-Tenant Data Tampering or Access (for multi-tenant services)

• Insecure Direct Object References

• Injection Vulnerabilities

• Authentication Vulnerabilities

• Server-Side Code Execution

• Privilege Escalation

• Significant Security Misconfiguration (when not caused by user)

• Directory Traversal

• Information Disclosure

• Open Redirects

• Sony Product Vulnerabilities (specific to the Sony designed/controlled components of the product)

Sony reserves the right to reject any submission that we, in our sole discretion, determine does not meet the above criteria. Submissions that require manipulation of data, network access, or physical attack against Sony offices or data centers and/or social engineering of our service desk, employees or contractors will not be accepted. Submissions that result in the alteration or theft of Sony data, or the interruption or degradation of Sony systems will not be accepted.

Non-Qualifying Vulnerabilities

The following submissions are not accepted by Secure@Sony:

• Vulnerabilities disclosed without a working proof-of-concept or clear reproducible steps

• Clickjacking

• Logout Cross-Site Request Forgery

• Involvement of Sony products or corporate technology in Denial of Service attacks [Note: Submissions of specific vulnerabilities will be considered in accordance with the Qualifying Vulnerabilities described above]

• Descriptive Error Messages

• Fingerprinting/Banner disclosure on common public services

• Lack of secure/HTTPOnly flags

• HTTP Methods

• SSL Attacks, such as BEAST/BREACH

• Subdomain takeovers without a complete proof of concept

• Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML

• CMS Application updates within 5 business days of release (e.g., WordPress security releases)

• Bugs requiring exceedingly unlikely user interaction (e.g., requiring a user to manually type in an XSS payload)

• Vulnerabilities related to networking protocols or industry standards not controlled by Sony, including flaws that impact outdated browsers and plugins

• Any Sony-developed software/hardware that is End of Life or no longer supported

• Any product vulnerability in which the vulnerability is in code or hardware not created, designed, or updated by Sony

• Any product vulnerability that involves device modification or bypassing of security controls inherent to the device in a way that requires ownership, hardware modification, or direct device access

Recognition:

Once a report is resolved and closed, the researcher will receive a +1 count on their public profile under “Thanks Received” and be listed on Sony’s HackerOne webpage under “Hackers Thanked.” Sony is also pleased to recognize our security researchers by providing a “Secure@Sony Finder” t-shirt. Sony will use the mailing address provided to HackerOne to provide the t-shirt.

Swag shipments are processed once a month but may be delayed due to COVID-19. Thank you for your understanding!

Sony will determine, in its sole discretion, whether recognition will be provided, and Sony will only recognize the first researcher to have discovered a specific, and previously unreported, vulnerability. Sony reserves the right to withhold recognition for researchers who have violated this policy in the past.

Sony is unable to provide a t-shirt if you are a resident of a country that faces United States export sanctions or trade restrictions. Sony assumes the shipping costs of a “Finder” t-shirt to the vulnerability submitter. All other country and local taxes or fees are the responsibility of the researcher. All reward decisions by Sony are final.

Responsible Disclosure

Sony believes in responsible disclosure and we ask that researchers:

• Act in good faith, by conducting your activities under this policy, and reporting the vulnerability with us:

      - Promptly
  
      - In sufficient detail for us to determine the validity of the vulnerability
  
      - Without coercion, dishonesty, or fraudulent intent
  

• Give us reasonable time to remediate vulnerabilities before talking about them publicly and notify us of your disclosure plans in advance. If you would like to disclose a resolved vulnerability, make the request directly in your report.

      - Whether a disclosure provides a positive contribution to the security community is a key factor in our evaluation.
  

• Please note reports closed as Spam, Not Applicable, or Informative will not be approved for disclosure.

Legal Notice:

If we conclude, in our sole discretion, that you have complied with the requirements above when reporting a security vulnerability, Sony will not pursue claims against you or initiate a law enforcement investigation in response to your report:

• You do not cause harm to Sony or our customers;

• You make a good faith effort to avoid compromising the privacy of our customers or employees, or disrupting the operation of our products, services or IT infrastructure;

• You do not violate any law;

• Once you have confirmed a vulnerability, you report it in a timely manner and do not exploit it further;

• To the extent that you have accessed non-public Sony information in the course of your research, you do not maintain copies of any such information or share any such information with any third party; and

• You do not publicly disclose or share the vulnerability details without the written permission of Sony.

Violation of these requirements may result in permanent disqualification from the program.

Any activity determined to involve the intentional compromise of the privacy of our customers or employees or the intentional disruption of the operation of our products, services or IT infrastructure will result in permanent disqualification from the program.

We may collect information that could reasonably be used to identify you (e.g., IP address). Sony uses this information to evaluate a reported vulnerability and protect Sony products, services or information technology infrastructure.

Sony reserves the right to modify or terminate this program at any time.