At PlayStation, we strive to be the best place to play, and believe that the security of our environment is fundamental to that goal. We believe that through close partnerships with the security research community we can deliver a safer place to play.
If you find a vulnerability on a Sony asset that is not covered by the PlayStation program, please report it through Sony’s public Vulnerability Disclosure Program.
We are currently interested in reports on the PlayStation 4 and PlayStation 5 systems, operating systems, accessories and the PlayStation Network. Bounty-eligible PlayStation Network domains are listed at the bottom of this policy in our Scope section.
For the PlayStation 4 and PlayStation 5 systems, accessories and operating systems, we will accept submissions on the current released or beta version of system software. PlayStation may at its discretion accept submissions on earlier versions of system software on a case by case basis.
PlayStation 1, PlayStation 2, PlayStation 3, PS Vita and PSP or any other hardware
Any domains not explicitly listed in the scope above
Corporate IT infrastructure
Open source software vulnerabilities which have been public for less than 7 days
Software published by third party entities, including games, applications, etc
PlayStation firmly believes in responsible disclosure and we ask that you:
Act in good faith, by conducting your activities under this policy, and reporting the vulnerability with us:
In sufficient detail for us to determine the validity of the vulnerability
Without coercion, dishonesty, or fraudulent intent
Give us reasonable time to remediate vulnerabilities before talking about them publicly and notify us of your disclosure plans in advance. If you would like to disclose a resolved vulnerability, make the request directly in your report. We look forward to disclosing issues that positively contribute to the security community.
Not view, use, alter, transfer, or access any data (personal or otherwise) within our environment; to immediately notify us of any inadvertent access, viewing, use, alteration, transfer, or storage of data; to comply with our instructions for mitigating the consequences of inadvertent access, viewing, alteration, transfer of storage of data, up to and including method for deletion of data and certification of your actions
Not intentionally disrupt, and avoid and minimize the impact, degradation or harm to performance and operations of our networks, systems, information, applications, products, or services (no DDoS, form spamming, etc.)
Otherwise comply with all applicable laws.
Please note reports closed as Spam, Not Applicable, or Informative may not be approved for disclosure.
Violation of these requirements may result in permanent disqualification from the program, and Sony reserves the right to withhold a bounty from researchers who violate or have violated these requirements in the past.
Sony reserves the right to modify or terminate this program at any time.
In return you can expect:
We will respond within a timely manner
We authorize good faith activities that conform to this policy, under the Computer Fraud and Abuse Act, and the DMCA, or similar computer access or use laws
We will not initiate legal action or a complaint against you for accidental, good faith violations of this policy
We may request additional information from submitters, such as IP address, to assist with the validation and remediation of certain findings.
If there is any inconsistency between this policy and any other applicable Sony Interactive Entertainment terms, the terms of this policy will prevail
While we cannot and do not authorize activities under this policy in the name of other parties, to the extent your activities under this policy identify vulnerabilities based on our use or implementation of the networks, systems, information, applications, products, or services of others, we:
Authorize your good faith activities that conform to this policy, to the extent we have the authority to do so.
Will not disclose your identity to the third party without your permission
We will notify the third party of our authorization of your activities under this policy, as necessary.
Social engineering attacks, including those targeting internal employees
Physical attacks against our infrastructure, facilities and offices
Scanner output or scanner-generated reports, including any automated or active exploit tool
Content spoofing and text injection issues without being able to modify HTML/CSS
Any vulnerability obtained through the compromise of employee account
Account takeover (PLA, User enumeration, etc)
Clickjacking, Login/logout CSRF
Fingerprinting, error message disclosure
Protocol level attacks (e.g BEAST/BREACH)
Lack of security headers, httponly flags, etc
Sony is unable to award a bounty to researchers who reside in a country that is subject to United States export sanctions or trade restrictions. Sony Interactive Entertainment employees, contractors, service providers, and their family members are not eligible for bounties.
|Scope Type||Scope Name|
This program have been found on Hackerone on 2020-07-21.