[{"id":3774345,"new_policy":"## Program Overview\n\nAt PlayStation, we strive to be the best place to play, and believe that the security of our environment is fundamental to that goal. We believe that through close partnerships with the security research community we can deliver a safer place to play.\n\n*If you find a vulnerability on PlayStation or Sony asset that is not covered by the PlayStation program, please report it through [Sony’s public Vulnerability Disclosure Program](https://hackerone.com/sony).*  \n\n\n## Scope\n\nWe are interested in reports on the PlayStation 5 and PlayStation 4 consoles, operating systems, and platform. Bounty-eligible PlayStation domains are listed in the scope tab.\n\nFor the PlayStation 5 and PlayStation 4 systems, accessories and operating systems, we will accept submissions on the current released or beta version of system software. PlayStation may at its discretion accept submissions on earlier versions of system software on a case by case basis.\n\n\n## Out-of-Scope\n\n* PlayStation 1, PlayStation 2, PlayStation 3, PS Vita, PSP, and any other hardware not explicitly listed in our scope, including accessories and peripherals\n* Any domains not explicitly listed in the scope section\n     * Out of scope issues submitted may be reviewed and accepted without bounty based on demonstrated impact\n* Corporate IT infrastructure\n* Open source software vulnerabilities which have been public for less than 7 days\n     * Issues targeting open source libraries or distributions may be redirected to their appropriate supporter\n* Software published by third party entities, including games, applications, etc\n* Vulnerabilities in third-party services where remediation is outside of PlayStation's control (e.g, SaaS tools on in-scope domains that we cannot patch)\n* Social engineering attacks, including those targeting internal employees\n* Physical attacks against our infrastructure, facilities and offices\n* Scanner output or scanner-generated reports, including any automated or active exploit tool\n* Any vulnerability obtained through the compromise of employee account\n* Multiple instances of the same vulnerability across related assets (e.g, hosts sharing a common root cause) are treated as a single finding\n* Vulnerabilities out of scope by default:\n\t* Brute forcing\n\t* Lack of rate limiting without tangible security impact (e.g, no rate limiting on a public API or login)\n\t* Usage of stolen credentials\n\t* Spam\n\t* Clickjacking, Login/logout CSRF\n\t* Fingerprinting, error message disclosure\n\t* Protocol level attacks (e.g BEAST/BREACH)\n\t* Lack of security headers (httponly flags, etc)\n\t* Cache poisoning without controlling content or cache poisoning denying access to non-critical files (e.g, images)\n\t* Content spoofing and text injection issues without being able to modify HTML/CSS\n\t* Best practices without security impact (e.g, RFC recommendations without security impact)\n\t* Denial of Service in Web / Network Assets\n    * Vulnerabilities under H1's Core Ineligible Findings\n\t* Route53 NS hijack\n    * All subdomain takeovers will be considered medium severity until further impact shown\n\n\n## Responsible Disclosure\n\nPlayStation firmly believes in responsible disclosure and we ask that you:\n* Act in good faith, by conducting your activities under this policy, and reporting the vulnerability with us:\n     * Promptly\n     * In sufficient detail for us to determine the validity of the vulnerability\n     * Without coercion, dishonesty, or fraudulent intent\n* Give us reasonable time to remediate vulnerabilities before talking about them publicly and notify us of your disclosure plans in advance\n     * If you would like to disclose a resolved vulnerability, make the request [directly in your report](https://www.hackerone.com/terms/disclosure-guidelines). We look forward to disclosing issues that positively contribute to the security community \n\n\n## Rules of Engagement\n\n* Not use, alter, transfer, or access any data (personal or otherwise) within our environment beyond what is required to demonstrate the vulnerability\n* To immediately notify us of any inadvertent access, viewing, use, alteration, transfer, or storage of data\n* To comply with our instructions for mitigating the consequences of inadvertent access, viewing, alteration, transfer of storage of data\n* To facilitate clean up by detailing all data used as part of testing, your actions done as part of testing, including potentially disclosing source IP\n* Not intentionally disrupt, and avoid and minimize the impact, degradation or harm to performance and operations of our networks, systems, information, applications, products, or services (no DDoS, form spamming, etc.)\n* Not to target or impersonate PlayStation's public presence (social media, gaming profiles, etc) as part of your testing (no defacement)\n* Otherwise comply with all applicable laws\n* Violation of these requirements may result in permanent disqualification from the program, and Sony reserves the right to withhold a bounty from researchers who violate or have violated these requirements in the past \n\nIn return you can expect:\n* We will respond within a timely manner\n* We authorize good faith activities that conform to this policy, under the Computer Fraud and Abuse Act, and the DMCA, or similar computer access or use laws\n* We will not initiate legal action or a complaint against you for accidental, good faith violations of this policy\n* If there is any inconsistency between this policy and any other applicable Sony Interactive Entertainment terms, the terms of this policy will prevail\n* While we cannot and do not authorize activities under this policy in the name of other parties, to the extent your activities under this policy identify vulnerabilities based on our use or implementation of the networks, systems, information, applications, products, or services of others, we:\n     * Authorize your good faith activities that conform to this policy, to the extent we have the authority to do so.\n     * Will not disclose your identity to the third party without your permission\n     * We will notify the third party of our authorization of your activities under this policy, as necessary.\n    \nPlease note reports closed as Spam, Not Applicable, or Informative may **not** be approved for disclosure.\nSony reserves the right to modify or terminate this program at any time.\n\n\n## Legal\n\nSony is unable to award a bounty to researchers who reside in a country that is subject to United States export sanctions or trade restrictions.  Sony Interactive Entertainment employees, contractors, service providers, and their family members are not eligible for bounties.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-05-15T21:31:34.809Z"},{"id":3644197,"new_policy":"## Program Overview\nAt PlayStation, we strive to be the best place to play, and believe that the security of our environment is fundamental to that goal.  We believe that through close partnerships with the security research community we can deliver a safer place to play.\n\n*If you find a vulnerability on a Sony asset that is not covered by the PlayStation program, please report it through [Sony’s public Vulnerability Disclosure Program](https://hackerone.com/sony).*  \n\n## Scope\n\nWe are currently interested in reports on the PlayStation 4 and PlayStation 5 systems, operating systems, accessories and the PlayStation Network. Bounty-eligible PlayStation Network domains are listed at the bottom of this policy in our Scope section.  \n\nFor the PlayStation 4 and PlayStation 5 systems, accessories and operating systems, we will accept submissions on the current released or beta version of system software.  PlayStation may at its discretion accept submissions on earlier versions of system software on a case by case basis.\n\n## Out-of-Scope\n\n* PlayStation 1, PlayStation 2, PlayStation 3, PS Vita and PSP or any other hardware\n* Any domains not explicitly listed in the scope above\n* Corporate IT infrastructure\n* Open source software vulnerabilities which have been public for less than 7 days\n* Software published by third party entities, including games, applications, etc\n\n## Responsible Disclosure\n\nPlayStation firmly believes in responsible disclosure and we ask that you:\n\n* Act in good faith, by conducting your activities under this policy, and reporting the vulnerability with us:\n     * Promptly\n     * In sufficient detail for us to determine the validity of the vulnerability\n     * Without coercion, dishonesty, or fraudulent intent\n* Give us reasonable time to remediate vulnerabilities before talking about them publicly and notify us of your disclosure plans in advance. If you would like to disclose a resolved vulnerability, make the request [directly in your report](https://docs.hackerone.com/programs/disclosure.html). We look forward to disclosing issues that positively contribute to the security community.  \n* Not view, use, alter, transfer, or access any data (personal or otherwise) within our environment; to immediately notify us of any inadvertent access, viewing, use, alteration, transfer, or storage of data; to comply with our instructions for mitigating the consequences of inadvertent access, viewing, alteration, transfer of storage of data, up to and including method for deletion of data and certification of your actions\n* Not intentionally disrupt, and avoid and minimize the impact, degradation or harm to performance and operations of our networks, systems, information, applications, products, or services (no DDoS, form spamming, etc.)\n* Otherwise comply with all applicable laws.\n* Please note reports closed as Spam, Not Applicable, or Informative may **not** be approved for disclosure.\n* Violation of these requirements may result in permanent disqualification from the program, and Sony reserves the right to withhold a bounty from researchers who violate or have violated these requirements in the past.\n* Sony reserves the right to modify or terminate this program at any time.\n\nIn return you can expect:\n\n* We will respond within a timely manner\n* We authorize good faith activities that conform to this policy, under the Computer Fraud and Abuse Act, and the DMCA, or similar computer access or use laws\n* We will not initiate legal action or a complaint against you for accidental, good faith violations of this policy\n* We may request additional information from submitters, such as IP address, to assist with the validation and remediation of certain findings.  \n* If there is any inconsistency between this policy and any other applicable Sony Interactive Entertainment terms, the terms of this policy will prevail\n* While we cannot and do not authorize activities under this policy in the name of other parties, to the extent your activities under this policy identify vulnerabilities based on our use or implementation of the networks, systems, information, applications, products, or services of others, we:\n     * Authorize your good faith activities that conform to this policy, to the extent we have the authority to do so.\n     * Will not disclose your identity to the third party without your permission\n     * We will notify the third party of our authorization of your activities under this policy, as necessary.\n\n## Out-of-Scope Vulnerabilities\n\n* Social engineering attacks, including those targeting internal employees\n* Physical attacks against our infrastructure, facilities and offices\n* Scanner output or scanner-generated reports, including any automated or active exploit tool\n* Content spoofing and text injection issues without being able to modify HTML/CSS\n* Any vulnerability obtained through the compromise of employee account\n* Network Vulnerabilities:\n     * Account takeover (PLA, User enumeration, etc)\n     * Spam\n     * Clickjacking, Login/logout CSRF\n     * Fingerprinting, error message disclosure\n     * Protocol level attacks (e.g BEAST/BREACH)\n     * Lack of security headers, httponly flags, etc\n\n## Legal\n\nSony is unable to award a bounty to researchers who reside in a country that is subject to United States export sanctions or trade restrictions.  Sony Interactive Entertainment employees, contractors, service providers, and their family members are not eligible for bounties.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-10-23T22:23:36.866Z"},{"id":3644196,"new_policy":"## Program Overview\nAt PlayStation, we strive to be the best place to play, and believe that the security of our environment is fundamental to that goal.  We believe that through close partnerships with the security research community we can deliver a safer place to play.\n\n*If you find a vulnerability on a Sony asset that is not covered by the PlayStation program, please report it through [Sony’s public Vulnerability Disclosure Program](https://hackerone.com/sony).*  \n\n## Scope\n\nWe are currently interested in reports on the PlayStation 4 and 5 systems, operating systems, accessories and the PlayStation Network. Bounty-eligible PlayStation Network domains are listed at the bottom of this policy in our Scope section.  \n\nFor the PlayStation 4 and 5 systems, accessories and operating systems, we will accept submissions on the current released or beta version of system software.  PlayStation may at its discretion accept submissions on earlier versions of system software on a case by case basis.\n\n## Out-of-Scope\n\n* PlayStation 1, PlayStation 2, PlayStation 3, PS Vita and PSP or any other hardware\n* Any domains not explicitly listed in the scope above\n* Corporate IT infrastructure\n* Open source software vulnerabilities which have been public for less than 7 days\n* Software published by third party entities, including games, applications, etc\n\n## Responsible Disclosure\n\nPlayStation firmly believes in responsible disclosure and we ask that you:\n\n* Act in good faith, by conducting your activities under this policy, and reporting the vulnerability with us:\n     * Promptly\n     * In sufficient detail for us to determine the validity of the vulnerability\n     * Without coercion, dishonesty, or fraudulent intent\n* Give us reasonable time to remediate vulnerabilities before talking about them publicly and notify us of your disclosure plans in advance. If you would like to disclose a resolved vulnerability, make the request [directly in your report](https://docs.hackerone.com/programs/disclosure.html). We look forward to disclosing issues that positively contribute to the security community.  \n* Not view, use, alter, transfer, or access any data (personal or otherwise) within our environment; to immediately notify us of any inadvertent access, viewing, use, alteration, transfer, or storage of data; to comply with our instructions for mitigating the consequences of inadvertent access, viewing, alteration, transfer of storage of data, up to and including method for deletion of data and certification of your actions\n* Not intentionally disrupt, and avoid and minimize the impact, degradation or harm to performance and operations of our networks, systems, information, applications, products, or services (no DDoS, form spamming, etc.)\n* Otherwise comply with all applicable laws.\n* Please note reports closed as Spam, Not Applicable, or Informative may **not** be approved for disclosure.\n* Violation of these requirements may result in permanent disqualification from the program, and Sony reserves the right to withhold a bounty from researchers who violate or have violated these requirements in the past.\n* Sony reserves the right to modify or terminate this program at any time.\n\nIn return you can expect:\n\n* We will respond within a timely manner\n* We authorize good faith activities that conform to this policy, under the Computer Fraud and Abuse Act, and the DMCA, or similar computer access or use laws\n* We will not initiate legal action or a complaint against you for accidental, good faith violations of this policy\n* We may request additional information from submitters, such as IP address, to assist with the validation and remediation of certain findings.  \n* If there is any inconsistency between this policy and any other applicable Sony Interactive Entertainment terms, the terms of this policy will prevail\n* While we cannot and do not authorize activities under this policy in the name of other parties, to the extent your activities under this policy identify vulnerabilities based on our use or implementation of the networks, systems, information, applications, products, or services of others, we:\n     * Authorize your good faith activities that conform to this policy, to the extent we have the authority to do so.\n     * Will not disclose your identity to the third party without your permission\n     * We will notify the third party of our authorization of your activities under this policy, as necessary.\n\n## Out-of-Scope Vulnerabilities\n\n* Social engineering attacks, including those targeting internal employees\n* Physical attacks against our infrastructure, facilities and offices\n* Scanner output or scanner-generated reports, including any automated or active exploit tool\n* Content spoofing and text injection issues without being able to modify HTML/CSS\n* Any vulnerability obtained through the compromise of employee account\n* Network Vulnerabilities:\n     * Account takeover (PLA, User enumeration, etc)\n     * Spam\n     * Clickjacking, Login/logout CSRF\n     * Fingerprinting, error message disclosure\n     * Protocol level attacks (e.g BEAST/BREACH)\n     * Lack of security headers, httponly flags, etc\n\n## Legal\n\nSony is unable to award a bounty to researchers who reside in a country that is subject to United States export sanctions or trade restrictions.  Sony Interactive Entertainment employees, contractors, service providers, and their family members are not eligible for bounties.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-10-23T22:09:15.616Z"},{"id":3641745,"new_policy":"## Program Overview\nAt PlayStation, we strive to be the best place to play, and believe that the security of our environment is fundamental to that goal.  We believe that through close partnerships with the security research community we can deliver a safer place to play.\n\n*If you find a vulnerability on a Sony asset that is not covered by the PlayStation program, please report it through [Sony’s public Vulnerability Disclosure Program](https://hackerone.com/sony).*  \n\n## Scope\n\nWe are currently interested in reports on the PlayStation 4 system, operating system, accessories and the PlayStation Network. Bounty-eligible PlayStation Network domains are listed at the bottom of this policy in our Scope section.  \n\nFor the PlayStation 4 system, accessories and operating system, we will accept submissions on the current released or beta version of system software.  PlayStation may at its discretion accept submissions on earlier versions of system software on a case by case basis.\n\n## Out-of-Scope\n\n* PlayStation 1, PlayStation 2, PlayStation 3, PS Vita and PSP or any other hardware\n* Any domains not explicitly listed in the scope above\n* Corporate IT infrastructure\n* Open source software vulnerabilities which have been public for less than 7 days\n* Software published by third party entities, including games, applications, etc\n\n## Responsible Disclosure\n\nPlayStation firmly believes in responsible disclosure and we ask that you:\n\n* Act in good faith, by conducting your activities under this policy, and reporting the vulnerability with us:\n     * Promptly\n     * In sufficient detail for us to determine the validity of the vulnerability\n     * Without coercion, dishonesty, or fraudulent intent\n* Give us reasonable time to remediate vulnerabilities before talking about them publicly and notify us of your disclosure plans in advance. If you would like to disclose a resolved vulnerability, make the request [directly in your report](https://docs.hackerone.com/programs/disclosure.html). We look forward to disclosing issues that positively contribute to the security community.  \n* Not view, use, alter, transfer, or access any data (personal or otherwise) within our environment; to immediately notify us of any inadvertent access, viewing, use, alteration, transfer, or storage of data; to comply with our instructions for mitigating the consequences of inadvertent access, viewing, alteration, transfer of storage of data, up to and including method for deletion of data and certification of your actions\n* Not intentionally disrupt, and avoid and minimize the impact, degradation or harm to performance and operations of our networks, systems, information, applications, products, or services (no DDoS, form spamming, etc.)\n* Otherwise comply with all applicable laws.\n* Please note reports closed as Spam, Not Applicable, or Informative may **not** be approved for disclosure.\n* Violation of these requirements may result in permanent disqualification from the program, and Sony reserves the right to withhold a bounty from researchers who violate or have violated these requirements in the past.\n* Sony reserves the right to modify or terminate this program at any time.\n\nIn return you can expect:\n\n* We will respond within a timely manner\n* We authorize good faith activities that conform to this policy, under the Computer Fraud and Abuse Act, and the DMCA, or similar computer access or use laws\n* We will not initiate legal action or a complaint against you for accidental, good faith violations of this policy\n* We may request additional information from submitters, such as IP address, to assist with the validation and remediation of certain findings.  \n* If there is any inconsistency between this policy and any other applicable Sony Interactive Entertainment terms, the terms of this policy will prevail\n* While we cannot and do not authorize activities under this policy in the name of other parties, to the extent your activities under this policy identify vulnerabilities based on our use or implementation of the networks, systems, information, applications, products, or services of others, we:\n     * Authorize your good faith activities that conform to this policy, to the extent we have the authority to do so.\n     * Will not disclose your identity to the third party without your permission\n     * We will notify the third party of our authorization of your activities under this policy, as necessary.\n\n## Out-of-Scope Vulnerabilities\n\n* Social engineering attacks, including those targeting internal employees\n* Physical attacks against our infrastructure, facilities and offices\n* Scanner output or scanner-generated reports, including any automated or active exploit tool\n* Content spoofing and text injection issues without being able to modify HTML/CSS\n* Any vulnerability obtained through the compromise of employee account\n* Network Vulnerabilities:\n     * Account takeover (PLA, User enumeration, etc)\n     * Spam\n     * Clickjacking, Login/logout CSRF\n     * Fingerprinting, error message disclosure\n     * Protocol level attacks (e.g BEAST/BREACH)\n     * Lack of security headers, httponly flags, etc\n\n## Legal\n\nSony is unable to award a bounty to researchers who reside in a country that is subject to United States export sanctions or trade restrictions.  Sony Interactive Entertainment employees, contractors, service providers, and their family members are not eligible for bounties.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-08-26T23:15:16.697Z"},{"id":3641467,"new_policy":"## Program Overview\nAt PlayStation, we strive to be the best place to play, and believe that the security of our environment is fundamental to that goal.  We believe that through close partnerships with the security research community we can deliver a safer place to play.\n\n*If you find a vulnerability on a Sony asset that is not covered by the PlayStation program, please report it through [Sony’s public Vulnerability Disclosure Program](https://hackerone.com/sony).*  \n\n## Scope\n\nWe are currently interested in reports on the PlayStation 4 system, operating system, accessories and the PlayStation Network. Bounty-eligible PlayStation Network domains are listed at the bottom of this policy in our Scope section.  \n\nFor the PlayStation 4 system, accessories and operating system, we will accept submissions on the current released or beta version of system software.  PlayStation may at its discretion accept submissions on earlier versions of system software on a case by case basis.\n\n## Out-of-Scope\n\n* PlayStation 1, PlayStation 2, PlayStation 3, PS Vita and PSP or any other hardware\n* Any domains not explicitly listed in the scope above\n* Corporate IT infrastructure\n* Open source software vulnerabilities which have been public for less than 7 days\n* Software published by third party entities, including games, applications, etc\n\n## Responsible Disclosure\n\nPlayStation firmly believes in responsible disclosure and we ask that you:\n\n* Act in good faith, by conducting your activities under this policy, and reporting the vulnerability with us:\n     * Promptly\n     * In sufficient detail for us to determine the validity of the vulnerability\n     * Without coercion, dishonesty, or fraudulent intent\n* Give us reasonable time to remediate vulnerabilities before talking about them publicly and notify us of your disclosure plans in advance. If you would like to disclose a resolved vulnerability, make the request [directly in your report](https://docs.hackerone.com/programs/disclosure.html). We look forward to disclosing issues that positively contribute to the security community.  \n* Not view, use, alter, transfer, or access any data (personal or otherwise) within our environment; to immediately notify us of any inadvertent access, viewing, use, alteration, transfer, or storage of data; to comply with our instructions for mitigating the consequences of inadvertent access, viewing, alteration, transfer of storage of data, up to and including method for deletion of data and certification of your actions\n* Not intentionally disrupt, and avoid and minimize the impact, degradation or harm to performance and operations of our networks, systems, information, applications, products, or services (no DDoS, form spamming, etc.)\n* Otherwise comply with all applicable laws.\n* Please note reports closed as Spam, Not Applicable, or Informative may **not** be approved for disclosure.\n* Violation of these requirements may result in permanent disqualification from the program, and Sony reserves the right to withhold a bounty from researchers who violate or have violated these requirements in the past.\n* Sony reserves the right to modify or terminate this program at any time.\n\nIn return you can expect:\n\n* We will respond within a timely manner\n* We authorize good faith activities that conform to this policy, under the Computer Fraud and Abuse Act, and the DMCA, or similar computer access or use laws\n* We will not initiate legal action or a complaint against you for accidental, good faith violations of this policy\n* We may request additional information from submitters, such as IP address, to assist with the validation and remediation of certain findings.  \n* If there is any inconsistency between this policy and any other applicable Sony Interactive Entertainment terms, the terms of this policy will prevail\n* While we cannot and do not authorize activities under this policy in the name of other parties, to the extent your activities under this policy identify vulnerabilities based on our use or implementation of the networks, systems, information, applications, products, or services of others, we:\n     * Authorize your good faith activities that conform to this policy, to the extent we have the authority to do so.\n     * Will not disclose your identity to the third party without your permission\n     * We will notify the third party of our authorization of your activities under this policy, as necessary.\n\n## Out-of-Scope Vulnerabilities\n\n* Social engineering attacks, including those targeting internal employees\n* Physical attacks against our infrastructure, facilities and offices\n* Scanner output or scanner-generated reports, including any automated or active exploit tool\n* Any vulnerability obtained through the compromise of employee account\n* Network Vulnerabilities:\n     * Account takeover (PLA, User enumeration, etc)\n     * Spam\n     * Clickjacking, Login/logout CSRF\n     * Fingerprinting, error message disclosure\n     * Protocol level attacks (e.g BEAST/BREACH)\n     * Lack of security headers, httponly flags, etc\n\n## Legal\n\nSony is unable to award a bounty to researchers who reside in a country that is subject to United States export sanctions or trade restrictions.  Sony Interactive Entertainment employees, contractors, service providers, and their family members are not eligible for bounties.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-08-19T22:06:42.059Z"},{"id":3638384,"new_policy":"## Program Overview\nAt PlayStation, we strive to be the best place to play, and believe that the security of our environment is fundamental to that goal.  We believe that through close partnerships with the security research community we can deliver a safer place to play.\n\n*If you find a vulnerability on a Sony asset that is not covered by the PlayStation program, please report it through [Sony’s public Vulnerability Disclosure Program](https://hackerone.com/sony).*  \n\n## Scope\n\nWe are currently interested in reports on the PlayStation 4 system, operating system, accessories and the PlayStation Network. For PlayStation Network the following domains are in scope:\n\n* *.playstation.net\n* *.sonyentertainmentnetwork.com\n* *.api.playstation.com\n* my.playstation.com\n* store.playstation.com\n* social.playstation.com\n* transact.playstation.com\n* wallets.api.playstation.com\n\nFor the PlayStation 4 system, accessories and operating system, we will accept submissions on the current released or beta version of system software.  PlayStation may at its discretion accept submissions on earlier versions of system software on a case by case basis.\n\n## Out-of-Scope\n\n* PlayStation 1, PlayStation 2, PlayStation 3, PS Vita and PSP or any other hardware\n* Any domains not explicitly listed in the scope above\n* Corporate IT infrastructure\n* Open source software vulnerabilities which have been public for less than 7 days\n* Software published by third party entities, including games, applications, etc\n\n## Responsible Disclosure\n\nPlayStation firmly believes in responsible disclosure and we ask that you:\n\n* Act in good faith, by conducting your activities under this policy, and reporting the vulnerability with us:\n     * Promptly\n     * In sufficient detail for us to determine the validity of the vulnerability\n     * Without coercion, dishonesty, or fraudulent intent\n* Give us reasonable time to remediate vulnerabilities before talking about them publicly and notify us of your disclosure plans in advance. If you would like to disclose a resolved vulnerability, make the request [directly in your report](https://docs.hackerone.com/programs/disclosure.html). We look forward to disclosing issues that positively contribute to the security community.  \n* Not view, use, alter, transfer, or access any data (personal or otherwise) within our environment; to immediately notify us of any inadvertent access, viewing, use, alteration, transfer, or storage of data; to comply with our instructions for mitigating the consequences of inadvertent access, viewing, alteration, transfer of storage of data, up to and including method for deletion of data and certification of your actions\n* Not intentionally disrupt, and avoid and minimize the impact, degradation or harm to performance and operations of our networks, systems, information, applications, products, or services (no DDoS, form spamming, etc.)\n* Otherwise comply with all applicable laws.\n* Please note reports closed as Spam, Not Applicable, or Informative may **not** be approved for disclosure.\n* Violation of these requirements may result in permanent disqualification from the program, and Sony reserves the right to withhold a bounty from researchers who violate or have violated these requirements in the past.\n* Sony reserves the right to modify or terminate this program at any time.\n\nIn return you can expect:\n\n* We will respond within a timely manner\n* We authorize good faith activities that conform to this policy, under the Computer Fraud and Abuse Act, and the DMCA, or similar computer access or use laws\n* We will not initiate legal action or a complaint against you for accidental, good faith violations of this policy\n* We may request additional information from submitters, such as IP address, to assist with the validation and remediation of certain findings.  \n* If there is any inconsistency between this policy and any other applicable Sony Interactive Entertainment terms, the terms of this policy will prevail\n* While we cannot and do not authorize activities under this policy in the name of other parties, to the extent your activities under this policy identify vulnerabilities based on our use or implementation of the networks, systems, information, applications, products, or services of others, we:\n     * Authorize your good faith activities that conform to this policy, to the extent we have the authority to do so.\n     * Will not disclose your identity to the third party without your permission\n     * We will notify the third party of our authorization of your activities under this policy, as necessary.\n\n## Out-of-Scope Vulnerabilities\n\n* Social engineering attacks, including those targeting internal employees\n* Physical attacks against our infrastructure, facilities and offices\n* Scanner output or scanner-generated reports, including any automated or active exploit tool\n* Any vulnerability obtained through the compromise of employee account\n* Network Vulnerabilities:\n     * Account takeover (PLA, User enumeration, etc)\n     * Spam\n     * Clickjacking, Login/logout CSRF\n     * Fingerprinting, error message disclosure\n     * Protocol level attacks (e.g BEAST/BREACH)\n     * Lack of security headers, httponly flags, etc\n\n## Legal\n\nSony is unable to award a bounty to researchers who reside in a country that is subject to United States export sanctions or trade restrictions.  Sony Interactive Entertainment employees, contractors, service providers, and their family members are not eligible for bounties.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-06-24T15:48:38.109Z"}]