37112 policies in database
Link to program      
PlayStation logo



Program Overview

At PlayStation, we strive to be the best place to play, and believe that the security of our environment is fundamental to that goal. We believe that through close partnerships with the security research community we can deliver a safer place to play.

If you find a vulnerability on a Sony asset that is not covered by the PlayStation program, please report it through Sony’s public Vulnerability Disclosure Program.


We are currently interested in reports on the PlayStation 4 and PlayStation 5 systems, operating systems, accessories and the PlayStation Network. Bounty-eligible PlayStation Network domains are listed at the bottom of this policy in our Scope section.

For the PlayStation 4 and PlayStation 5 systems, accessories and operating systems, we will accept submissions on the current released or beta version of system software. PlayStation may at its discretion accept submissions on earlier versions of system software on a case by case basis.


  • PlayStation 1, PlayStation 2, PlayStation 3, PS Vita and PSP or any other hardware

  • Any domains not explicitly listed in the scope above

  • Corporate IT infrastructure

  • Open source software vulnerabilities which have been public for less than 7 days

  • Software published by third party entities, including games, applications, etc

Responsible Disclosure

PlayStation firmly believes in responsible disclosure and we ask that you:

  • Act in good faith, by conducting your activities under this policy, and reporting the vulnerability with us:

    • Promptly

    • In sufficient detail for us to determine the validity of the vulnerability

    • Without coercion, dishonesty, or fraudulent intent

  • Give us reasonable time to remediate vulnerabilities before talking about them publicly and notify us of your disclosure plans in advance. If you would like to disclose a resolved vulnerability, make the request directly in your report. We look forward to disclosing issues that positively contribute to the security community.

  • Not view, use, alter, transfer, or access any data (personal or otherwise) within our environment; to immediately notify us of any inadvertent access, viewing, use, alteration, transfer, or storage of data; to comply with our instructions for mitigating the consequences of inadvertent access, viewing, alteration, transfer of storage of data, up to and including method for deletion of data and certification of your actions

  • Not intentionally disrupt, and avoid and minimize the impact, degradation or harm to performance and operations of our networks, systems, information, applications, products, or services (no DDoS, form spamming, etc.)

  • Otherwise comply with all applicable laws.

  • Please note reports closed as Spam, Not Applicable, or Informative may not be approved for disclosure.

  • Violation of these requirements may result in permanent disqualification from the program, and Sony reserves the right to withhold a bounty from researchers who violate or have violated these requirements in the past.

  • Sony reserves the right to modify or terminate this program at any time.

In return you can expect:

  • We will respond within a timely manner

  • We authorize good faith activities that conform to this policy, under the Computer Fraud and Abuse Act, and the DMCA, or similar computer access or use laws

  • We will not initiate legal action or a complaint against you for accidental, good faith violations of this policy

  • We may request additional information from submitters, such as IP address, to assist with the validation and remediation of certain findings.

  • If there is any inconsistency between this policy and any other applicable Sony Interactive Entertainment terms, the terms of this policy will prevail

  • While we cannot and do not authorize activities under this policy in the name of other parties, to the extent your activities under this policy identify vulnerabilities based on our use or implementation of the networks, systems, information, applications, products, or services of others, we:

    • Authorize your good faith activities that conform to this policy, to the extent we have the authority to do so.

    • Will not disclose your identity to the third party without your permission

    • We will notify the third party of our authorization of your activities under this policy, as necessary.

Out-of-Scope Vulnerabilities

  • Social engineering attacks, including those targeting internal employees

  • Physical attacks against our infrastructure, facilities and offices

  • Scanner output or scanner-generated reports, including any automated or active exploit tool

  • Content spoofing and text injection issues without being able to modify HTML/CSS

  • Any vulnerability obtained through the compromise of employee account

  • Network Vulnerabilities:

    • Account takeover (PLA, User enumeration, etc)

    • Spam

    • Clickjacking, Login/logout CSRF

    • Fingerprinting, error message disclosure

    • Protocol level attacks (e.g BEAST/BREACH)

    • Lack of security headers, httponly flags, etc


Sony is unable to award a bounty to researchers who reside in a country that is subject to United States export sanctions or trade restrictions. Sony Interactive Entertainment employees, contractors, service providers, and their family members are not eligible for bounties.

In Scope

Scope Type Scope Name

PlayStation 4


PlayStation 5


PlayStation Network





















This program have been found on Hackerone on 2020-07-21.

FireBounty © 2015-2023

Legal notices | Privacy