[{"id":3767384,"new_policy":"Our global information security team is working hard to protect Sony's information assets, services and products and the confidentiality of customer information. But we're always willing to accept more help. We recognize the valuable role that the research community plays in enhancing our security posture and welcome the opportunity to partner with you.\n\nThe Secure@Sony program accepts reports of bugs that provide a potential attacker with the ability to compromise the integrity, availability or confidentiality of Sony products, services or information technology infrastructure. Please see below for specific submission criteria.\n\nIf you believe you've found a qualifying security vulnerability in a Sony product or Web site, please submit a report in accordance with the guidelines below that includes a detailed description of your discovery with clear, concise reproducible steps or a working proof-of-concept. \n\nWhen investigating vulnerabilities, avoid altering existing files, file permissions, reading sensitive information (e.g., /etc/shadow) or disrupting services.  Do not utilize an identified vulnerability to pivot to other hosts or services.  If sensitive information or personal information is encountered, immediately cease activities and report via the HackerOne portal where triage and Sony personnel can assist.\n\n**Reports of broken link hijacking without proof of significant potential impact to Sony will likely be closed as N/A**\n\nWe value the positive impact of your work and thank you in advance for your contribution.\n\nQualifying Vulnerabilities\n---------------------\nThe Secure@Sony team is interested in the following types of vulnerabilities:\n* Cross-Site Scripting (XSS)\n* Cross-Site Request Forgery (CSRF)\n* Unauthorized Cross-Tenant Data Tampering or Access (for multi-tenant services)\n* Insecure Direct Object References\n* Injection Vulnerabilities\n* Authentication Vulnerabilities\n* Server-Side Code Execution\n* Privilege Escalation\n* Significant Security Misconfiguration (when not caused by user)\n* Directory Traversal\n* Information Disclosure\n* Open Redirects\n* Sony Products and their associated services (specific to the Sony designed/controlled components of the product)\n\nSony reserves the right to reject any submission that we, in our sole discretion, determine does not meet the above criteria. Submissions that require manipulation of data, network access, or physical attack against Sony offices or data centers and/or social engineering of our service desk, employees or contractors will not be accepted. Submissions that result in the alteration or theft of Sony data, or the interruption or degradation of Sony systems will not be accepted.\n\nNon-Qualifying Vulnerabilities\n---------------------\nThe following submissions are not accepted by Secure@Sony: \n\n* Vulnerabilities disclosed without a working proof-of-concept or clear reproducible steps\n* Clickjacking\n* Logout Cross-Site Request Forgery\n* Involvement of Sony products or corporate technology in Denial of Service attacks [Note: Submissions of specific vulnerabilities will be considered in accordance with the Qualifying Vulnerabilities described above]\n* Descriptive Error Messages\n* Fingerprinting/Banner disclosure on common public services\n* Lack of secure/HTTPOnly flags\n* HTTP Methods\n* SSL Attacks, such as BEAST/BREACH\n* Subdomain takeovers without a complete proof of concept\n* Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML\n* CMS Application updates within 5 business days of release (e.g., WordPress security releases)\n* Bugs requiring exceedingly unlikely user interaction (e.g., requiring a user to manually type in an XSS payload)\n* Vulnerabilities related to networking protocols or industry standards not controlled by Sony, including flaws that impact outdated browsers and plugins\n* Any Sony-developed software/hardware that is End of Life or no longer supported\n* Any product vulnerability in which the vulnerability is in code or hardware not created, designed, or updated by Sony\n* Any product vulnerability that involves device modification or bypassing of security controls inherent to the device in a way that requires ownership, hardware modification, or direct device access\n\nResearcher Communication \u0026 Tagging\n---------------------\n\nTo ensure timely and consistent responses, please avoid tagging individual team members in report comments. Our internal workflows route submissions to the appropriate reviewers, and tagging individuals can lead to delays or missed updates.\n\nInstead, please tag the program team using @sony-team. This ensures all communications are visible to the right members of our security team and receive proper review.\n\nRecognition\n---------------------\n\nOnce a report is resolved and closed, the researcher will receive a +1 count on their public profile under “Thanks Received” and be listed on Sony’s HackerOne webpage under “Hackers Thanked.” Sony is also pleased to recognize our security researchers by providing a “Secure@Sony Finder” t-shirt. Sony will use the mailing address provided to HackerOne to provide the t-shirt.\n\nSwag shipments are processed once a month but international shipping deliveries may incur a delay.\n\nSony will determine, in its sole discretion, whether recognition will be provided, and Sony will only recognize the first researcher to have discovered a specific, and previously unreported, vulnerability. Sony reserves the right to withhold recognition for researchers who have violated this policy in the past.\n\nSony is unable to provide a t-shirt if you are a resident of a country that faces United States export sanctions or trade restrictions.  Sony assumes the shipping costs of a “Finder” t-shirt to the vulnerability submitter. All other country and local taxes or fees are the responsibility of the researcher. All reward decisions by Sony are final.\n\n\nResponsible Disclosure\n---------------------\n\nSony believes in responsible disclosure and we ask that researchers:\n\n* Act in good faith, by conducting your activities under this policy, and reporting the vulnerability with us:\n            - Promptly\n            - In sufficient detail for us to determine the validity of the vulnerability\n            - Without coercion, dishonesty, or fraudulent intent\n\n* Give us reasonable time to remediate vulnerabilities before talking about them publicly and notify us of your disclosure plans in advance.  If you would like to disclose a resolved vulnerability, make the request [directly in your report](https://www.hackerone.com/disclosure-guidelines).\n            - Whether a disclosure provides a positive contribution to the security community is a key factor in our evaluation.\n* Please note reports closed as Spam, Not Applicable, or Informative will not be approved for disclosure.\n\nLegal Notice:\n---------------------\n\nIf we conclude, in our sole discretion, that you have complied with the requirements above when reporting a security vulnerability, Sony will not pursue claims against you or initiate a law enforcement investigation in response to your report:\n* You do not cause harm to Sony or our customers;\n* You make a good faith effort to avoid compromising the privacy of our customers or employees, or disrupting the operation of our products, services or IT infrastructure;\n* You do not violate any law;\n* Once you have confirmed a vulnerability, you report it in a timely manner and do not exploit it further;\n* To the extent that you have accessed non-public Sony information in the course of your research, you do not maintain copies of any such information or share any such information with any third party; and\n* You do not publicly disclose or share the vulnerability details without the written permission of Sony.\nViolation of these requirements may result in permanent disqualification from the program.\n\nAny activity determined to involve the intentional compromise of the privacy of our customers or employees or the intentional disruption of the operation of our products, services or IT infrastructure will result in permanent disqualification from the program.\n\nWe may collect information that could reasonably be used to identify you (e.g., IP address). Sony uses this information to evaluate a reported vulnerability and protect Sony products, services or information technology infrastructure.\n\nSony reserves the right to modify or terminate this program at any time. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-12-15T15:40:52.414Z"},{"id":3737728,"new_policy":"Our global information security team is working hard to protect Sony's information assets, services and products and the confidentiality of customer information. But we're always willing to accept more help. We recognize the valuable role that the research community plays in enhancing our security posture and welcome the opportunity to partner with you.\n\nThe Secure@Sony program accepts reports of bugs that provide a potential attacker with the ability to compromise the integrity, availability or confidentiality of Sony products, services or information technology infrastructure. Please see below for specific submission criteria.\n\nIf you believe you've found a qualifying security vulnerability in a Sony product or Web site, please submit a report in accordance with the guidelines below that includes a detailed description of your discovery with clear, concise reproducible steps or a working proof-of-concept. \n\nWhen investigating vulnerabilities, avoid altering existing files, file permissions, reading sensitive information (e.g., /etc/shadow) or disrupting services.  Do not utilize an identified vulnerability to pivot to other hosts or services.  If sensitive information or personal information is encountered, immediately cease activities and report via the HackerOne portal where triage and Sony personnel can assist.\n\n**Reports of broken link hijacking without proof of significant potential impact to Sony will likely be closed as N/A**\n\nWe value the positive impact of your work and thank you in advance for your contribution.\n\nQualifying Vulnerabilities\n---------------------\nThe Secure@Sony team is interested in the following types of vulnerabilities:\n* Cross-Site Scripting (XSS)\n* Cross-Site Request Forgery (CSRF)\n* Unauthorized Cross-Tenant Data Tampering or Access (for multi-tenant services)\n* Insecure Direct Object References\n* Injection Vulnerabilities\n* Authentication Vulnerabilities\n* Server-Side Code Execution\n* Privilege Escalation\n* Significant Security Misconfiguration (when not caused by user)\n* Directory Traversal\n* Information Disclosure\n* Open Redirects\n* Sony Products and their associated services (specific to the Sony designed/controlled components of the product)\n\nSony reserves the right to reject any submission that we, in our sole discretion, determine does not meet the above criteria. Submissions that require manipulation of data, network access, or physical attack against Sony offices or data centers and/or social engineering of our service desk, employees or contractors will not be accepted. Submissions that result in the alteration or theft of Sony data, or the interruption or degradation of Sony systems will not be accepted.\n\nNon-Qualifying Vulnerabilities\n---------------------\nThe following submissions are not accepted by Secure@Sony: \n\n* Vulnerabilities disclosed without a working proof-of-concept or clear reproducible steps\n* Clickjacking\n* Logout Cross-Site Request Forgery\n* Involvement of Sony products or corporate technology in Denial of Service attacks [Note: Submissions of specific vulnerabilities will be considered in accordance with the Qualifying Vulnerabilities described above]\n* Descriptive Error Messages\n* Fingerprinting/Banner disclosure on common public services\n* Lack of secure/HTTPOnly flags\n* HTTP Methods\n* SSL Attacks, such as BEAST/BREACH\n* Subdomain takeovers without a complete proof of concept\n* Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML\n* CMS Application updates within 5 business days of release (e.g., WordPress security releases)\n* Bugs requiring exceedingly unlikely user interaction (e.g., requiring a user to manually type in an XSS payload)\n* Vulnerabilities related to networking protocols or industry standards not controlled by Sony, including flaws that impact outdated browsers and plugins\n* Any Sony-developed software/hardware that is End of Life or no longer supported\n* Any product vulnerability in which the vulnerability is in code or hardware not created, designed, or updated by Sony\n* Any product vulnerability that involves device modification or bypassing of security controls inherent to the device in a way that requires ownership, hardware modification, or direct device access\n\nRecognition:\n---------------------\n\nOnce a report is resolved and closed, the researcher will receive a +1 count on their public profile under “Thanks Received” and be listed on Sony’s HackerOne webpage under “Hackers Thanked.” Sony is also pleased to recognize our security researchers by providing a “Secure@Sony Finder” t-shirt. Sony will use the mailing address provided to HackerOne to provide the t-shirt.\n\nSwag shipments are processed once a month but international shipping deliveries may incur a delay.\n\nSony will determine, in its sole discretion, whether recognition will be provided, and Sony will only recognize the first researcher to have discovered a specific, and previously unreported, vulnerability. Sony reserves the right to withhold recognition for researchers who have violated this policy in the past.\n\nSony is unable to provide a t-shirt if you are a resident of a country that faces United States export sanctions or trade restrictions.  Sony assumes the shipping costs of a “Finder” t-shirt to the vulnerability submitter. All other country and local taxes or fees are the responsibility of the researcher. All reward decisions by Sony are final.\n\n\nResponsible Disclosure\n---------------------\n\nSony believes in responsible disclosure and we ask that researchers:\n\n* Act in good faith, by conducting your activities under this policy, and reporting the vulnerability with us:\n            - Promptly\n            - In sufficient detail for us to determine the validity of the vulnerability\n            - Without coercion, dishonesty, or fraudulent intent\n\n* Give us reasonable time to remediate vulnerabilities before talking about them publicly and notify us of your disclosure plans in advance.  If you would like to disclose a resolved vulnerability, make the request [directly in your report](https://www.hackerone.com/disclosure-guidelines).\n            - Whether a disclosure provides a positive contribution to the security community is a key factor in our evaluation.\n* Please note reports closed as Spam, Not Applicable, or Informative will not be approved for disclosure.\n\nLegal Notice:\n---------------------\n\nIf we conclude, in our sole discretion, that you have complied with the requirements above when reporting a security vulnerability, Sony will not pursue claims against you or initiate a law enforcement investigation in response to your report:\n* You do not cause harm to Sony or our customers;\n* You make a good faith effort to avoid compromising the privacy of our customers or employees, or disrupting the operation of our products, services or IT infrastructure;\n* You do not violate any law;\n* Once you have confirmed a vulnerability, you report it in a timely manner and do not exploit it further;\n* To the extent that you have accessed non-public Sony information in the course of your research, you do not maintain copies of any such information or share any such information with any third party; and\n* You do not publicly disclose or share the vulnerability details without the written permission of Sony.\nViolation of these requirements may result in permanent disqualification from the program.\n\nAny activity determined to involve the intentional compromise of the privacy of our customers or employees or the intentional disruption of the operation of our products, services or IT infrastructure will result in permanent disqualification from the program.\n\nWe may collect information that could reasonably be used to identify you (e.g., IP address). Sony uses this information to evaluate a reported vulnerability and protect Sony products, services or information technology infrastructure.\n\nSony reserves the right to modify or terminate this program at any time. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-09-03T17:35:58.814Z"},{"id":3709935,"new_policy":"Our global information security team is working hard to protect Sony's information assets, services and products and the confidentiality of customer information. But we're always willing to accept more help. We recognize the valuable role that the research community plays in enhancing our security posture and welcome the opportunity to partner with you.\n\nThe Secure@Sony program accepts reports of bugs that provide a potential attacker with the ability to compromise the integrity, availability or confidentiality of Sony products, services or information technology infrastructure. Please see below for specific submission criteria.\n\nIf you believe you've found a qualifying security vulnerability in a Sony product or Web site, please submit a report in accordance with the guidelines below that includes a detailed description of your discovery with clear, concise reproducible steps or a working proof-of-concept. \n\nWhen investigating vulnerabilities, avoid altering existing files, file permissions, reading sensitive information (e.g., /etc/shadow) or disrupting services.  Do not utilize an identified vulnerability to pivot to other hosts or services.  If sensitive information or personal information is encountered, immediately cease activities and report via the HackerOne portal where triage and Sony personnel can assist.\n\n**Reports of broken link hijacking without proof of significant potential impact to Sony will likely be closed as N/A**\n\nWe value the positive impact of your work and thank you in advance for your contribution.\n\nQualifying Vulnerabilities\n---------------------\nThe Secure@Sony team is interested in the following types of vulnerabilities:\n* Cross-Site Scripting (XSS)\n* Cross-Site Request Forgery (CSRF)\n* Unauthorized Cross-Tenant Data Tampering or Access (for multi-tenant services)\n* Insecure Direct Object References\n* Injection Vulnerabilities\n* Authentication Vulnerabilities\n* Server-Side Code Execution\n* Privilege Escalation\n* Significant Security Misconfiguration (when not caused by user)\n* Directory Traversal\n* Information Disclosure\n* Open Redirects\n* Sony Products and their associated services (specific to the Sony designed/controlled components of the product)\n\nSony reserves the right to reject any submission that we, in our sole discretion, determine does not meet the above criteria. Submissions that require manipulation of data, network access, or physical attack against Sony offices or data centers and/or social engineering of our service desk, employees or contractors will not be accepted. Submissions that result in the alteration or theft of Sony data, or the interruption or degradation of Sony systems will not be accepted.\n\nNon-Qualifying Vulnerabilities\n---------------------\nThe following submissions are not accepted by Secure@Sony: \n\n* Vulnerabilities disclosed without a working proof-of-concept or clear reproducible steps\n* Clickjacking\n* Logout Cross-Site Request Forgery\n* Involvement of Sony products or corporate technology in Denial of Service attacks [Note: Submissions of specific vulnerabilities will be considered in accordance with the Qualifying Vulnerabilities described above]\n* Descriptive Error Messages\n* Fingerprinting/Banner disclosure on common public services\n* Lack of secure/HTTPOnly flags\n* HTTP Methods\n* SSL Attacks, such as BEAST/BREACH\n* Subdomain takeovers without a complete proof of concept\n* Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML\n* CMS Application updates within 5 business days of release (e.g., WordPress security releases)\n* Bugs requiring exceedingly unlikely user interaction (e.g., requiring a user to manually type in an XSS payload)\n* Vulnerabilities related to networking protocols or industry standards not controlled by Sony, including flaws that impact outdated browsers and plugins\n* Any Sony-developed software/hardware that is End of Life or no longer supported\n* Any product vulnerability in which the vulnerability is in code or hardware not created, designed, or updated by Sony\n* Any product vulnerability that involves device modification or bypassing of security controls inherent to the device in a way that requires ownership, hardware modification, or direct device access\n\nRecognition:\n---------------------\n\nOnce a report is resolved and closed, the researcher will receive a +1 count on their public profile under “Thanks Received” and be listed on Sony’s HackerOne webpage under “Hackers Thanked.” Sony is also pleased to recognize our security researchers by providing a “Secure@Sony Finder” t-shirt. Sony will use the mailing address provided to HackerOne to provide the t-shirt.\n\n**Swag shipments are processed once a month but may be delayed due to COVID-19. Thank you for your understanding!**\n\nSony will determine, in its sole discretion, whether recognition will be provided, and Sony will only recognize the first researcher to have discovered a specific, and previously unreported, vulnerability. Sony reserves the right to withhold recognition for researchers who have violated this policy in the past.\n\nSony is unable to provide a t-shirt if you are a resident of a country that faces United States export sanctions or trade restrictions.  Sony assumes the shipping costs of a “Finder” t-shirt to the vulnerability submitter. All other country and local taxes or fees are the responsibility of the researcher. All reward decisions by Sony are final.\n\n\nResponsible Disclosure\n---------------------\n\nSony believes in responsible disclosure and we ask that researchers:\n\n* Act in good faith, by conducting your activities under this policy, and reporting the vulnerability with us:\n            - Promptly\n            - In sufficient detail for us to determine the validity of the vulnerability\n            - Without coercion, dishonesty, or fraudulent intent\n\n* Give us reasonable time to remediate vulnerabilities before talking about them publicly and notify us of your disclosure plans in advance.  If you would like to disclose a resolved vulnerability, make the request [directly in your report](https://www.hackerone.com/disclosure-guidelines).\n            - Whether a disclosure provides a positive contribution to the security community is a key factor in our evaluation.\n* Please note reports closed as Spam, Not Applicable, or Informative will not be approved for disclosure.\n\nLegal Notice:\n---------------------\n\nIf we conclude, in our sole discretion, that you have complied with the requirements above when reporting a security vulnerability, Sony will not pursue claims against you or initiate a law enforcement investigation in response to your report:\n* You do not cause harm to Sony or our customers;\n* You make a good faith effort to avoid compromising the privacy of our customers or employees, or disrupting the operation of our products, services or IT infrastructure;\n* You do not violate any law;\n* Once you have confirmed a vulnerability, you report it in a timely manner and do not exploit it further;\n* To the extent that you have accessed non-public Sony information in the course of your research, you do not maintain copies of any such information or share any such information with any third party; and\n* You do not publicly disclose or share the vulnerability details without the written permission of Sony.\nViolation of these requirements may result in permanent disqualification from the program.\n\nAny activity determined to involve the intentional compromise of the privacy of our customers or employees or the intentional disruption of the operation of our products, services or IT infrastructure will result in permanent disqualification from the program.\n\nWe may collect information that could reasonably be used to identify you (e.g., IP address). Sony uses this information to evaluate a reported vulnerability and protect Sony products, services or information technology infrastructure.\n\nSony reserves the right to modify or terminate this program at any time.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-12-27T13:37:36.770Z"},{"id":3666859,"new_policy":"Our global information security team is working hard to protect Sony's information assets, services and products and the confidentiality of customer information. But we're always willing to accept more help. We recognize the valuable role that the research community plays in enhancing our security posture and welcome the opportunity to partner with you.\n\nThe Secure@Sony program accepts reports of bugs that provide a potential attacker with the ability to compromise the integrity, availability or confidentiality of Sony products, services or information technology infrastructure. Please see below for specific submission criteria.\n\nIf you believe you've found a qualifying security vulnerability in a Sony product or Web site, please submit a report in accordance with the guidelines below that includes a detailed description of your discovery with clear, concise reproducible steps or a working proof-of-concept. \n\nWhen investigating vulnerabilities, avoid altering existing files, file permissions, reading sensitive information (e.g., /etc/shadow) or disrupting services.  Do not utilize an identified vulnerability to pivot to other hosts or services.  If sensitive information or personal information is encountered, immediately cease activities and report via the HackerOne portal where triage and Sony personnel can assist.\n\n**Reports of broken link hijacking without proof of significant potential impact to Sony will likely be closed as N/A**\n\nWe value the positive impact of your work and thank you in advance for your contribution.\n\nQualifying Vulnerabilities\n---------------------\nThe Secure@Sony team is interested in the following types of vulnerabilities:\n* Cross-Site Scripting (XSS)\n* Cross-Site Request Forgery (CSRF)\n* Unauthorized Cross-Tenant Data Tampering or Access (for multi-tenant services)\n* Insecure Direct Object References\n* Injection Vulnerabilities\n* Authentication Vulnerabilities\n* Server-Side Code Execution\n* Privilege Escalation\n* Significant Security Misconfiguration (when not caused by user)\n* Directory Traversal\n* Information Disclosure\n* Open Redirects\n* Sony Product Vulnerabilities (specific to the Sony designed/controlled components of the product) \n\nSony reserves the right to reject any submission that we, in our sole discretion, determine does not meet the above criteria. Submissions that require manipulation of data, network access, or physical attack against Sony offices or data centers and/or social engineering of our service desk, employees or contractors will not be accepted. Submissions that result in the alteration or theft of Sony data, or the interruption or degradation of Sony systems will not be accepted.\n\nNon-Qualifying Vulnerabilities\n---------------------\nThe following submissions are not accepted by Secure@Sony: \n\n* Vulnerabilities disclosed without a working proof-of-concept or clear reproducible steps\n* Clickjacking\n* Logout Cross-Site Request Forgery\n* Involvement of Sony products or corporate technology in Denial of Service attacks [Note: Submissions of specific vulnerabilities will be considered in accordance with the Qualifying Vulnerabilities described above]\n* Descriptive Error Messages\n* Fingerprinting/Banner disclosure on common public services\n* Lack of secure/HTTPOnly flags\n* HTTP Methods\n* SSL Attacks, such as BEAST/BREACH\n* Subdomain takeovers without a complete proof of concept\n* Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML\n* CMS Application updates within 5 business days of release (e.g., WordPress security releases)\n* Bugs requiring exceedingly unlikely user interaction (e.g., requiring a user to manually type in an XSS payload)\n* Vulnerabilities related to networking protocols or industry standards not controlled by Sony, including flaws that impact outdated browsers and plugins\n* Any Sony-developed software/hardware that is End of Life or no longer supported\n* Any product vulnerability in which the vulnerability is in code or hardware not created, designed, or updated by Sony\n* Any product vulnerability that involves device modification or bypassing of security controls inherent to the device in a way that requires ownership, hardware modification, or direct device access\n\nRecognition:\n---------------------\n\nOnce a report is resolved and closed, the researcher will receive a +1 count on their public profile under “Thanks Received” and be listed on Sony’s HackerOne webpage under “Hackers Thanked.” Sony is also pleased to recognize our security researchers by providing a “Secure@Sony Finder” t-shirt. Sony will use the mailing address provided to HackerOne to provide the t-shirt.\n\n**Swag shipments are processed once a month but may be delayed due to COVID-19. Thank you for your understanding!**\n\nSony will determine, in its sole discretion, whether recognition will be provided, and Sony will only recognize the first researcher to have discovered a specific, and previously unreported, vulnerability. Sony reserves the right to withhold recognition for researchers who have violated this policy in the past.\n\nSony is unable to provide a t-shirt if you are a resident of a country that faces United States export sanctions or trade restrictions.  Sony assumes the shipping costs of a “Finder” t-shirt to the vulnerability submitter. All other country and local taxes or fees are the responsibility of the researcher. All reward decisions by Sony are final.\n\n\nResponsible Disclosure\n---------------------\n\nSony believes in responsible disclosure and we ask that researchers:\n\n* Act in good faith, by conducting your activities under this policy, and reporting the vulnerability with us:\n            - Promptly\n            - In sufficient detail for us to determine the validity of the vulnerability\n            - Without coercion, dishonesty, or fraudulent intent\n\n* Give us reasonable time to remediate vulnerabilities before talking about them publicly and notify us of your disclosure plans in advance.  If you would like to disclose a resolved vulnerability, make the request [directly in your report](https://www.hackerone.com/disclosure-guidelines).\n            - Whether a disclosure provides a positive contribution to the security community is a key factor in our evaluation.\n* Please note reports closed as Spam, Not Applicable, or Informative will not be approved for disclosure.\n\nLegal Notice:\n---------------------\n\nIf we conclude, in our sole discretion, that you have complied with the requirements above when reporting a security vulnerability, Sony will not pursue claims against you or initiate a law enforcement investigation in response to your report:\n* You do not cause harm to Sony or our customers;\n* You make a good faith effort to avoid compromising the privacy of our customers or employees, or disrupting the operation of our products, services or IT infrastructure;\n* You do not violate any law;\n* Once you have confirmed a vulnerability, you report it in a timely manner and do not exploit it further;\n* To the extent that you have accessed non-public Sony information in the course of your research, you do not maintain copies of any such information or share any such information with any third party; and\n* You do not publicly disclose or share the vulnerability details without the written permission of Sony.\nViolation of these requirements may result in permanent disqualification from the program.\n\nAny activity determined to involve the intentional compromise of the privacy of our customers or employees or the intentional disruption of the operation of our products, services or IT infrastructure will result in permanent disqualification from the program.\n\nWe may collect information that could reasonably be used to identify you (e.g., IP address). Sony uses this information to evaluate a reported vulnerability and protect Sony products, services or information technology infrastructure.\n\nSony reserves the right to modify or terminate this program at any time.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-22T14:46:34.228Z"},{"id":3659841,"new_policy":"Our global information security team is working hard to protect Sony's information assets, services and products and the confidentiality of customer information. But we're always willing to accept more help. We recognize the valuable role that the research community plays in enhancing our security posture and welcome the opportunity to partner with you.\n\nThe Secure@Sony program accepts reports of bugs that provide a potential attacker with the ability to compromise the integrity, availability or confidentiality of Sony products, services or information technology infrastructure. Please see below for specific submission criteria.\n\nIf you believe you've found a qualifying security vulnerability in a Sony product or Web site, please submit a report in accordance with the guidelines below that includes a detailed description of your discovery with clear, concise reproducible steps or a working proof-of-concept. \n\nWhen investigating vulnerabilities, avoid altering existing files, file permissions, reading sensitive information (e.g., /etc/shadow) or disrupting services.  Do not utilize an identified vulnerability to pivot to other hosts or services.  If sensitive information or personal information is encountered, immediately cease activities and report via the HackerOne portal where triage and Sony personnel can assist.\n\nWe value the positive impact of your work and thank you in advance for your contribution.\n\nQualifying Vulnerabilities\n---------------------\nThe Secure@Sony team is interested in the following types of vulnerabilities:\n* Cross-Site Scripting (XSS)\n* Cross-Site Request Forgery (CSRF)\n* Unauthorized Cross-Tenant Data Tampering or Access (for multi-tenant services)\n* Insecure Direct Object References\n* Injection Vulnerabilities\n* Authentication Vulnerabilities\n* Server-Side Code Execution\n* Privilege Escalation\n* Significant Security Misconfiguration (when not caused by user)\n* Directory Traversal\n* Information Disclosure\n* Open Redirects\n* Sony Product Vulnerabilities (specific to the Sony designed/controlled components of the product) \n\nSony reserves the right to reject any submission that we, in our sole discretion, determine does not meet the above criteria. Submissions that require manipulation of data, network access, or physical attack against Sony offices or data centers and/or social engineering of our service desk, employees or contractors will not be accepted. Submissions that result in the alteration or theft of Sony data, or the interruption or degradation of Sony systems will not be accepted.\n\nNon-Qualifying Vulnerabilities\n---------------------\nThe following submissions are not accepted by Secure@Sony: \n\n* Vulnerabilities disclosed without a working proof-of-concept or clear reproducible steps\n* Clickjacking\n* Logout Cross-Site Request Forgery\n* Involvement of Sony products or corporate technology in Denial of Service attacks [Note: Submissions of specific vulnerabilities will be considered in accordance with the Qualifying Vulnerabilities described above]\n* Descriptive Error Messages\n* Fingerprinting/Banner disclosure on common public services\n* Lack of secure/HTTPOnly flags\n* HTTP Methods\n* SSL Attacks, such as BEAST/BREACH\n* Subdomain takeovers without a complete proof of concept\n* Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML\n* CMS Application updates within 5 business days of release (e.g., WordPress security releases)\n* Bugs requiring exceedingly unlikely user interaction (e.g., requiring a user to manually type in an XSS payload)\n* Vulnerabilities related to networking protocols or industry standards not controlled by Sony, including flaws that impact outdated browsers and plugins\n* Any Sony-developed software/hardware that is End of Life or no longer supported\n* Any product vulnerability in which the vulnerability is in code or hardware not created, designed, or updated by Sony\n* Any product vulnerability that involves device modification or bypassing of security controls inherent to the device in a way that requires ownership, hardware modification, or direct device access\n\nRecognition:\n---------------------\n\nOnce a report is resolved and closed, the researcher will receive a +1 count on their public profile under “Thanks Received” and be listed on Sony’s HackerOne webpage under “Hackers Thanked.” Sony is also pleased to recognize our security researchers by providing a “Secure@Sony Finder” t-shirt. Sony will use the mailing address provided to HackerOne to provide the t-shirt.\n\n**Swag shipments are processed once a month but may be delayed due to COVID-19. Thank you for your understanding!**\n\nSony will determine, in its sole discretion, whether recognition will be provided, and Sony will only recognize the first researcher to have discovered a specific, and previously unreported, vulnerability. Sony reserves the right to withhold recognition for researchers who have violated this policy in the past.\n\nSony is unable to provide a t-shirt if you are a resident of a country that faces United States export sanctions or trade restrictions.  Sony assumes the shipping costs of a “Finder” t-shirt to the vulnerability submitter. All other country and local taxes or fees are the responsibility of the researcher. All reward decisions by Sony are final.\n\n\nResponsible Disclosure\n---------------------\n\nSony believes in responsible disclosure and we ask that researchers:\n\n* Act in good faith, by conducting your activities under this policy, and reporting the vulnerability with us:\n            - Promptly\n            - In sufficient detail for us to determine the validity of the vulnerability\n            - Without coercion, dishonesty, or fraudulent intent\n\n* Give us reasonable time to remediate vulnerabilities before talking about them publicly and notify us of your disclosure plans in advance.  If you would like to disclose a resolved vulnerability, make the request [directly in your report](https://www.hackerone.com/disclosure-guidelines).\n            - Whether a disclosure provides a positive contribution to the security community is a key factor in our evaluation.\n* Please note reports closed as Spam, Not Applicable, or Informative will not be approved for disclosure.\n\nLegal Notice:\n---------------------\n\nIf we conclude, in our sole discretion, that you have complied with the requirements above when reporting a security vulnerability, Sony will not pursue claims against you or initiate a law enforcement investigation in response to your report:\n* You do not cause harm to Sony or our customers;\n* You make a good faith effort to avoid compromising the privacy of our customers or employees, or disrupting the operation of our products, services or IT infrastructure;\n* You do not violate any law;\n* Once you have confirmed a vulnerability, you report it in a timely manner and do not exploit it further;\n* To the extent that you have accessed non-public Sony information in the course of your research, you do not maintain copies of any such information or share any such information with any third party; and\n* You do not publicly disclose or share the vulnerability details without the written permission of Sony.\nViolation of these requirements may result in permanent disqualification from the program.\n\nAny activity determined to involve the intentional compromise of the privacy of our customers or employees or the intentional disruption of the operation of our products, services or IT infrastructure will result in permanent disqualification from the program.\n\nWe may collect information that could reasonably be used to identify you (e.g., IP address). Sony uses this information to evaluate a reported vulnerability and protect Sony products, services or information technology infrastructure.\n\nSony reserves the right to modify or terminate this program at any time.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-10-12T16:32:04.871Z"},{"id":3659840,"new_policy":"Our global information security team is working hard to protect Sony's information assets, services and products and the confidentiality of customer information. But we're always willing to accept more help. We recognize the valuable role that the research community plays in enhancing our security posture and welcome the opportunity to partner with you.\n\nThe Secure@Sony program accepts reports of bugs that provide a potential attacker with the ability to compromise the integrity, availability or confidentiality of Sony products, services or information technology infrastructure. Please see below for specific submission criteria.\n\nIf you believe you've found a qualifying security vulnerability in a Sony product or Web site, please submit a report in accordance with the guidelines below that includes a detailed description of your discovery with clear, concise reproducible steps or a working proof-of-concept. \n\nWhen investigating vulnerabilities, avoid altering existing files, file permissions, reading sensitive information (e.g., /etc/shadow) or disrupting services.  Do not utilize an identified vulnerability to pivot to other hosts or services.  If sensitive information or personal information is encountered, immediately cease activities and report via the HackerOne portal where triage and Sony personnel can assist.\n\nWe value the positive impact of your work and thank you in advance for your contribution.\n\nQualifying Vulnerabilities\n---------------------\nThe Secure@Sony team is interested in the following types of vulnerabilities:\n* Cross-Site Scripting (XSS)\n* Cross-Site Request Forgery (CSRF)\n* Unauthorized Cross-Tenant Data Tampering or Access (for multi-tenant services)\n* Insecure Direct Object References\n* Injection Vulnerabilities\n* Authentication Vulnerabilities\n* Server-Side Code Execution\n* Privilege Escalation\n* Significant Security Misconfiguration (when not caused by user)\n* Directory Traversal\n* Information Disclosure\n* Open Redirects\n* Sony Product Vulnerabilities (specific to the Sony designed/controlled components of the product) \n\nSony reserves the right to reject any submission that we, in our sole discretion, determine does not meet the above criteria. Submissions that require manipulation of data, network access, or physical attack against Sony offices or data centers and/or social engineering of our service desk, employees or contractors will not be accepted. Submissions that result in the alteration or theft of Sony data, or the interruption or degradation of Sony systems will not be accepted.\n\nNon-Qualifying Vulnerabilities\n---------------------\nThe following submissions are not accepted by Secure@Sony: \n\n*Vulnerabilities disclosed without a working proof-of-concept or clear reproducible steps\n*Clickjacking\n*Logout Cross-Site Request Forgery\n*Involvement of Sony products or corporate technology in Denial of Service attacks [Note: Submissions of specific vulnerabilities will be considered in accordance with the Qualifying Vulnerabilities described above]\n*Descriptive Error Messages\n*Fingerprinting/Banner disclosure on common public services\n*Lack of secure/HTTPOnly flags\n*HTTP Methods\n*SSL Attacks, such as BEAST/BREACH\n*Subdomain takeovers without a complete proof of concept\n*Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML\n*CMS Application updates within 5 business days of release (e.g., WordPress security releases)\n*Bugs requiring exceedingly unlikely user interaction (e.g., requiring a user to manually type in an XSS payload)\n*Vulnerabilities related to networking protocols or industry standards not controlled by Sony, including flaws that impact outdated browsers and plugins\n*Any Sony-developed software/hardware that is End of Life or no longer supported\n*Any product vulnerability in which the vulnerability is in code or hardware not created, designed, or updated by Sony\n*Any product vulnerability that involves device modification or bypassing of security controls inherent to the device in a way that requires ownership, hardware modification, or direct device access\n\nRecognition:\n---------------------\n\nOnce a report is resolved and closed, the researcher will receive a +1 count on their public profile under “Thanks Received” and be listed on Sony’s HackerOne webpage under “Hackers Thanked.” Sony is also pleased to recognize our security researchers by providing a “Secure@Sony Finder” t-shirt. Sony will use the mailing address provided to HackerOne to provide the t-shirt.\n\n**Swag shipments are processed once a month but may be delayed due to COVID-19. Thank you for your understanding!**\n\nSony will determine, in its sole discretion, whether recognition will be provided, and Sony will only recognize the first researcher to have discovered a specific, and previously unreported, vulnerability. Sony reserves the right to withhold recognition for researchers who have violated this policy in the past.\n\nSony is unable to provide a t-shirt if you are a resident of a country that faces United States export sanctions or trade restrictions.  Sony assumes the shipping costs of a “Finder” t-shirt to the vulnerability submitter. All other country and local taxes or fees are the responsibility of the researcher. All reward decisions by Sony are final.\n\n\nResponsible Disclosure\n---------------------\n\nSony believes in responsible disclosure and we ask that researchers:\n\n* Act in good faith, by conducting your activities under this policy, and reporting the vulnerability with us:\n            - Promptly\n            - In sufficient detail for us to determine the validity of the vulnerability\n            - Without coercion, dishonesty, or fraudulent intent\n\n* Give us reasonable time to remediate vulnerabilities before talking about them publicly and notify us of your disclosure plans in advance.  If you would like to disclose a resolved vulnerability, make the request [directly in your report](https://www.hackerone.com/disclosure-guidelines).\n            - Whether a disclosure provides a positive contribution to the security community is a key factor in our evaluation.\n* Please note reports closed as Spam, Not Applicable, or Informative will not be approved for disclosure.\n\nLegal Notice:\n---------------------\n\nIf we conclude, in our sole discretion, that you have complied with the requirements above when reporting a security vulnerability, Sony will not pursue claims against you or initiate a law enforcement investigation in response to your report:\n* You do not cause harm to Sony or our customers;\n* You make a good faith effort to avoid compromising the privacy of our customers or employees, or disrupting the operation of our products, services or IT infrastructure;\n* You do not violate any law;\n* Once you have confirmed a vulnerability, you report it in a timely manner and do not exploit it further;\n* To the extent that you have accessed non-public Sony information in the course of your research, you do not maintain copies of any such information or share any such information with any third party; and\n* You do not publicly disclose or share the vulnerability details without the written permission of Sony.\nViolation of these requirements may result in permanent disqualification from the program.\n\nAny activity determined to involve the intentional compromise of the privacy of our customers or employees or the intentional disruption of the operation of our products, services or IT infrastructure will result in permanent disqualification from the program.\n\nWe may collect information that could reasonably be used to identify you (e.g., IP address). Sony uses this information to evaluate a reported vulnerability and protect Sony products, services or information technology infrastructure.\n\nSony reserves the right to modify or terminate this program at any time.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-10-12T16:31:04.508Z"},{"id":3650044,"new_policy":"Our global information security team is working hard to protect Sony's information assets, services and products and the confidentiality of customer information. But we're always willing to accept more help. We recognize the valuable role that the research community plays in enhancing our security posture and welcome the opportunity to partner with you.\n\nThe Secure@Sony program accepts reports of bugs that provide a potential attacker with the ability to compromise the integrity, availability or confidentiality of Sony products, services or information technology infrastructure. Please see below for specific submission criteria.\n\nIf you believe you've found a qualifying security vulnerability in a Sony product or Web site, please submit a report in accordance with the guidelines below. We value the positive impact of your work and thank you in advance for your contribution.\n\nQualifying Vulnerabilities\n---------------------\nThe Secure@Sony team is interested in the following types of vulnerabilities:\n* Cross-Site Scripting (XSS)\n* Cross-Site Request Forgery (CSRF)\n* Unauthorized Cross-Tenant Data Tampering or Access (for multi-tenant services)\n* Insecure Direct Object References\n* Injection Vulnerabilities\n* Authentication Vulnerabilities\n* Server-Side Code Execution\n* Privilege Escalation\n* Significant Security Misconfiguration (when not caused by user)\n* Directory Traversal\n* Information Disclosure\n* Open Redirects\n* Sony Product Vulnerabilities (specific to the Sony designed/controlled components of the product) \n\t\nSony reserves the right to reject any submission that we, in our sole discretion, determine does not meet the above criteria. Submissions that require manipulation of data, network access, or physical attack against Sony offices or data centers and/or social engineering of our service desk, employees or contractors will not be accepted. Submissions that result in the alteration or theft of Sony data, or the interruption or degradation of Sony systems will not be accepted.  \n\nNon-Qualifying Vulnerabilities\n---------------------\nThe following submissions are not accepted by Secure@Sony: \n\n* Clickjacking \n* Logout Cross-Site Request Forgery\n* Involvement of Sony products or corporate technology in Denial of Service attacks [Note: Submissions of specific vulnerabilities will be considered in accordance with the Qualifying Vulnerabilities described above] \n* Descriptive Error Messages\n* Fingerprinting/Banner disclosure on common public services\n* Lack of secure/HTTPOnly flags\n* HTTP Methods\n* SSL Attacks, such as BEAST/BREACH\n* Subdomain takeovers without a complete proof of concept\n* Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML\n* CMS Application updates within 5 business days of release (e.g., WordPress security releases)\n* Bugs requiring exceedingly unlikely user interaction (e.g., requiring a user to manually type in an XSS payload)\n* Vulnerabilities related to networking protocols or industry standards not controlled by Sony,  including flaws that \nimpact outdated browsers and plugins\n* Any Sony-developed software/hardware that is End of Life or no longer supported\n* Any product vulnerability in which the vulnerability is in code or hardware not created, designed, or updated by Sony\n* Any product vulnerability that involves device modification or bypassing of security controls inherent to the device in a way that requires ownership, hardware modification, or direct device access\n* Any vulnerability obtained through the compromise of a Sony user or employee account\n\nRecognition:\n---------------------\n\nOnce a report is resolved and closed, the researcher will receive a +1 count on their public profile under “Thanks Received” and be listed on Sony’s HackerOne webpage under “Hackers Thanked.” Sony is also pleased to recognize our security researchers by providing a “Secure@Sony Finder” t-shirt. Sony will use the mailing address provided to HackerOne to provide the t-shirt. \n\n**Swag shipments are processed once a month, but may be delayed due to COVID-19. Thank you for your understanding!**\n\nSony will determine, in its sole discretion, whether recognition will be provided, and Sony will only recognize the first researcher to have discovered a specific, and previously unreported, vulnerability. Sony holds the right to withhold recognition for researchers who in the past have violated the processes defined herein.  \nSony is unable to provide a t-shirt if you are a resident of a country that faces United States export sanctions or trade restrictions. Sony assumes shipping costs of a “Finder” t-shirt to the vulnerability submitter. All other country and local taxes or fees are the responsibility of the researcher. All reward decisions by Sony are final.\n\n\nLegal Notice:\n---------------------\n\nIf we conclude, in our sole discretion, that you have complied with the requirements below when reporting a security vulnerability, Sony will not pursue claims against you or initiate a law enforcement investigation in response to your report:\n* You do not cause harm to Sony or our customers;\n* You make a good faith effort to avoid compromising the privacy of our customers or employees, or disrupting the operation of our products, services or IT infrastructure; \n* You do not violate any law; \n* Once you have confirmed a vulnerability, you report it in a timely manner and do not exploit it further; \n* To the extent that you have accessed non-public Sony information in the course of your research, you do not \nmaintain copies of any such information or share any such information with any third party; and\n* You do not publicly disclose or share the vulnerability details without the written permission of Sony.\n\nViolation of these requirements may result in permanent disqualification from the program.\n\nAny activity determined to involve the intentional compromise of the privacy of our customers or employees or the intentional disruption of the operation of our products, services or IT infrastructure will result in permanent disqualification from the program. \n\nWe may collect information that could reasonably be used to identify you (e.g., IP address). Sony uses this information to evaluate a reported vulnerability and protect Sony products, services or information technology infrastructure. \n\nSony reserves the right to modify or terminate this program at any time. \n\n\nScope:\n---------------------\n\nSecurity vulnerabilities that are identified in Sony products or in website domains owned, operated, or controlled by Sony are in scope.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-18T17:23:07.705Z"},{"id":3636237,"new_policy":"Our global information security team is working hard to protect Sony's information assets, services and products and the confidentiality of customer information. But we're always willing to accept more help. We recognize the valuable role that the research community plays in enhancing our security posture and welcome the opportunity to partner with you.\n\nThe Secure@Sony program accepts reports of bugs that provide a potential attacker with the ability to compromise the integrity, availability or confidentiality of Sony products, services or information technology infrastructure. Please see below for specific submission criteria.\n\nIf you believe you've found a qualifying security vulnerability in a Sony product or Web site, please submit a report in accordance with the guidelines below. We value the positive impact of your work and thank you in advance for your contribution.\n\nQualifying Vulnerabilities\n---------------------\nThe Secure@Sony team is interested in the following types of vulnerabilities:\n* Cross-Site Scripting (XSS)\n* Cross-Site Request Forgery (CSRF)\n* Unauthorized Cross-Tenant Data Tampering or Access (for multi-tenant services)\n* Insecure Direct Object References\n* Injection Vulnerabilities\n* Authentication Vulnerabilities\n* Server-Side Code Execution\n* Privilege Escalation\n* Significant Security Misconfiguration (when not caused by user)\n* Directory Traversal\n* Information Disclosure\n* Open Redirects\n* Sony Product Vulnerabilities (specific to the Sony designed/controlled components of the product) \n\t\nSony reserves the right to reject any submission that we, in our sole discretion, determine does not meet the above criteria. Submissions that require manipulation of data, network access, or physical attack against Sony offices or data centers and/or social engineering of our service desk, employees or contractors will not be accepted. Submissions that result in the alteration or theft of Sony data, or the interruption or degradation of Sony systems will not be accepted.  \n\nNon-Qualifying Vulnerabilities\n---------------------\nThe following submissions are not accepted by Secure@Sony: \n\n* Clickjacking \n* Logout Cross-Site Request Forgery\n* Involvement of Sony products or corporate technology in Denial of Service attacks [Note: Submissions of specific vulnerabilities will be considered in accordance with the Qualifying Vulnerabilities described above] \n* Descriptive Error Messages\n* Fingerprinting/Banner disclosure on common public services\n* Lack of secure/HTTPOnly flags\n* HTTP Methods\n* SSL Attacks, such as BEAST/BREACH\n* Subdomain takeovers without a complete proof of concept\n* Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML\n* CMS Application updates within 5 business days of release (e.g., WordPress security releases)\n* Bugs requiring exceedingly unlikely user interaction (e.g., requiring a user to manually type in an XSS payload)\n* Vulnerabilities related to networking protocols or industry standards not controlled by Sony,  including flaws that \nimpact outdated browsers and plugins\n* Any Sony-developed software/hardware that is End of Life or no longer supported\n* Any product vulnerability in which the vulnerability is in code or hardware not created, designed, or updated by Sony\n* Any product vulnerability that involves device modification or bypassing of security controls inherent to the device in a way that requires ownership, hardware modification, or direct device access\n* Any vulnerability obtained through the compromise of a Sony user or employee account\n\nRecognition:\n---------------------\n\nOnce a report is resolved and closed, the researcher will receive a +1 count on their public profile under “Thanks Received” and be listed on Sony’s HackerOne webpage under “Hackers Thanked.” Sony is also pleased to recognize our security researchers by providing a “Secure@Sony Finder” t-shirt. Sony will use the mailing address provided to HackerOne to provide the t-shirt. \n\n**Unfortunately we are currently unable to access or ship Sony swag due to COVID-19. We will continue to award swag in the HackerOne platform for our records, and will begin shipping swag as soon as it is safe to do so. Thank you for understanding!**\n\nSony will determine, in its sole discretion, whether recognition will be provided, and Sony will only recognize the first researcher to have discovered a specific, and previously unreported, vulnerability. Sony holds the right to withhold recognition for researchers who in the past have violated the processes defined herein.  \nSony is unable to provide a t-shirt if you are a resident of a country that faces United States export sanctions or trade restrictions. Sony assumes shipping costs of a “Finder” t-shirt to the vulnerability submitter. All other country and local taxes or fees are the responsibility of the researcher. All reward decisions by Sony are final.\n\n\nLegal Notice:\n---------------------\n\nIf we conclude, in our sole discretion, that you have complied with the requirements below when reporting a security vulnerability, Sony will not pursue claims against you or initiate a law enforcement investigation in response to your report:\n* You do not cause harm to Sony or our customers;\n* You make a good faith effort to avoid compromising the privacy of our customers or employees, or disrupting the operation of our products, services or IT infrastructure; \n* You do not violate any law; \n* Once you have confirmed a vulnerability, you report it in a timely manner and do not exploit it further; \n* To the extent that you have accessed non-public Sony information in the course of your research, you do not \nmaintain copies of any such information or share any such information with any third party; and\n* You do not publicly disclose or share the vulnerability details without the written permission of Sony.\n\nViolation of these requirements may result in permanent disqualification from the program.\n\nAny activity determined to involve the intentional compromise of the privacy of our customers or employees or the intentional disruption of the operation of our products, services or IT infrastructure will result in permanent disqualification from the program. \n\nWe may collect information that could reasonably be used to identify you (e.g., IP address). Sony uses this information to evaluate a reported vulnerability and protect Sony products, services or information technology infrastructure. \n\nSony reserves the right to modify or terminate this program at any time. \n\n\nScope:\n---------------------\n\nSecurity vulnerabilities that are identified in Sony products or in website domains owned, operated, or controlled by Sony are in scope.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-05-14T19:34:57.151Z"},{"id":3633109,"new_policy":"Our global information security team is working hard to protect Sony's information assets, services and products and the confidentiality of customer information. But we're always willing to accept more help. We recognize the valuable role that the research community plays in enhancing our security posture and welcome the opportunity to partner with you.\n\nThe Secure@Sony program accepts reports of bugs that provide a potential attacker with the ability to compromise the integrity, availability or confidentiality of Sony products, services or information technology infrastructure. Please see below for specific submission criteria.\n\nIf you believe you've found a qualifying security vulnerability in a Sony product or Web site, please submit a report in accordance with the guidelines below. We value the positive impact of your work and thank you in advance for your contribution.\n\nQualifying Vulnerabilities\n---------------------\nThe Secure@Sony team is interested in the following types of vulnerabilities:\n* Cross-Site Scripting (XSS)\n* Cross-Site Request Forgery (CSRF)\n* Unauthorized Cross-Tenant Data Tampering or Access (for multi-tenant services)\n* Insecure Direct Object References\n* Injection Vulnerabilities\n* Authentication Vulnerabilities\n* Server-Side Code Execution\n* Privilege Escalation\n* Significant Security Misconfiguration (when not caused by user)\n* Directory Traversal\n* Information Disclosure\n* Open Redirects\n* Sony Product Vulnerabilities (specific to the Sony designed/controlled components of the product) \n\t\nSony reserves the right to reject any submission that we, in our sole discretion, determine does not meet the above criteria. Submissions that require manipulation of data, network access, or physical attack against Sony offices or data centers and/or social engineering of our service desk, employees or contractors will not be accepted. Submissions that result in the alteration or theft of Sony data, or the interruption or degradation of Sony systems will not be accepted.  \n\nNon-Qualifying Vulnerabilities\n---------------------\nThe following submissions are not accepted by Secure@Sony: \n\n* Clickjacking \n* Logout Cross-Site Request Forgery\n* Involvement of Sony products or corporate technology in Denial of Service attacks [Note: Submissions of specific vulnerabilities will be considered in accordance with the Qualifying Vulnerabilities described above] \n* Descriptive Error Messages\n* Fingerprinting/Banner disclosure on common public services\n* Lack of secure/HTTPOnly flags\n* HTTP Methods\n* SSL Attacks, such as BEAST/BREACH\n* Subdomain takeovers without a complete proof of concept\n* Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML\n* CMS Application updates within 5 business days of release (e.g., WordPress security releases)\n* Bugs requiring exceedingly unlikely user interaction (e.g., requiring a user to manually type in an XSS payload)\n* Vulnerabilities related to networking protocols or industry standards not controlled by Sony,  including flaws that \nimpact outdated browsers and plugins\n* Any Sony-developed software/hardware that is End of Life or no longer supported\n* Any product vulnerability in which the vulnerability is in code or hardware not created, designed, or updated by Sony\n* Any product vulnerability that involves device modification or bypassing of security controls inherent to the device in a way that requires ownership, hardware modification, or direct device access\n* Any vulnerability obtained through the compromise of a Sony user or employee account\n\nRecognition:\n---------------------\n\nOnce a report is resolved and closed, the researcher will receive a +1 count on their public profile under “Thanks Received” and be listed on Sony’s HackerOne webpage under “Hackers Thanked.” Sony is also pleased to recognize our security researchers by providing a “Secure@Sony Finder” t-shirt. Sony will use the mailing address provided to HackerOne to provide the t-shirt. **Please note that swag shipments are likely to be delayed due to the impact of COVID-19 on shipping logistics and personnel globally.**\n\nSony will determine, in its sole discretion, whether recognition will be provided, and Sony will only recognize the first researcher to have discovered a specific, and previously unreported, vulnerability. Sony holds the right to withhold recognition for researchers who in the past have violated the processes defined herein.  \nSony is unable to provide a t-shirt if you are a resident of a country that faces United States export sanctions or trade restrictions. Sony assumes shipping costs of a “Finder” t-shirt to the vulnerability submitter. All other country and local taxes or fees are the responsibility of the researcher. All reward decisions by Sony are final.\n\n\nLegal Notice:\n---------------------\n\nIf we conclude, in our sole discretion, that you have complied with the requirements below when reporting a security vulnerability, Sony will not pursue claims against you or initiate a law enforcement investigation in response to your report:\n* You do not cause harm to Sony or our customers;\n* You make a good faith effort to avoid compromising the privacy of our customers or employees, or disrupting the operation of our products, services or IT infrastructure; \n* You do not violate any law; \n* Once you have confirmed a vulnerability, you report it in a timely manner and do not exploit it further; \n* To the extent that you have accessed non-public Sony information in the course of your research, you do not \nmaintain copies of any such information or share any such information with any third party; and\n* You do not publicly disclose or share the vulnerability details without the written permission of Sony.\n\nViolation of these requirements may result in permanent disqualification from the program.\n\nAny activity determined to involve the intentional compromise of the privacy of our customers or employees or the intentional disruption of the operation of our products, services or IT infrastructure will result in permanent disqualification from the program. \n\nWe may collect information that could reasonably be used to identify you (e.g., IP address). Sony uses this information to evaluate a reported vulnerability and protect Sony products, services or information technology infrastructure. \n\nSony reserves the right to modify or terminate this program at any time. \n\n\nScope:\n---------------------\n\nSecurity vulnerabilities that are identified in Sony products or in website domains owned, operated, or controlled by Sony are in scope.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-03-16T20:33:43.601Z"},{"id":3615111,"new_policy":"Our global information security team is working hard to protect Sony's information assets, services and products and the confidentiality of customer information. But we're always willing to accept more help. We recognize the valuable role that the research community plays in enhancing our security posture and welcome the opportunity to partner with you.\n\nThe Secure@Sony program accepts reports of bugs that provide a potential attacker with the ability to compromise the integrity, availability or confidentiality of Sony products, services or information technology infrastructure. Please see below for specific submission criteria.\n\nIf you believe you've found a qualifying security vulnerability in a Sony product or Web site, please submit a report in accordance with the guidelines below. We value the positive impact of your work and thank you in advance for your contribution.\n\nQualifying Vulnerabilities\n---------------------\nThe Secure@Sony team is interested in the following types of vulnerabilities:\n* Cross-Site Scripting (XSS)\n* Cross-Site Request Forgery (CSRF)\n* Unauthorized Cross-Tenant Data Tampering or Access (for multi-tenant services)\n* Insecure Direct Object References\n* Injection Vulnerabilities\n* Authentication Vulnerabilities\n* Server-Side Code Execution\n* Privilege Escalation\n* Significant Security Misconfiguration (when not caused by user)\n* Directory Traversal\n* Information Disclosure\n* Open Redirects\n* Sony Product Vulnerabilities (specific to the Sony designed/controlled components of the product) \n\t\nSony reserves the right to reject any submission that we, in our sole discretion, determine does not meet the above criteria. Submissions that require manipulation of data, network access, or physical attack against Sony offices or data centers and/or social engineering of our service desk, employees or contractors will not be accepted. Submissions that result in the alteration or theft of Sony data, or the interruption or degradation of Sony systems will not be accepted.  \n\nNon-Qualifying Vulnerabilities\n---------------------\nThe following submissions are not accepted by Secure@Sony: \n\n* Clickjacking \n* Logout Cross-Site Request Forgery\n* Involvement of Sony products or corporate technology in Denial of Service attacks [Note: Submissions of specific vulnerabilities will be considered in accordance with the Qualifying Vulnerabilities described above] \n* Descriptive Error Messages\n* Fingerprinting/Banner disclosure on common public services\n* Lack of secure/HTTPOnly flags\n* HTTP Methods\n* SSL Attacks, such as BEAST/BREACH\n* Subdomain takeovers without a complete proof of concept\n* Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML\n* CMS Application updates within 5 business days of release (e.g., WordPress security releases)\n* Bugs requiring exceedingly unlikely user interaction (e.g., requiring a user to manually type in an XSS payload)\n* Vulnerabilities related to networking protocols or industry standards not controlled by Sony,  including flaws that \nimpact outdated browsers and plugins\n* Any Sony-developed software/hardware that is End of Life or no longer supported\n* Any product vulnerability in which the vulnerability is in code or hardware not created, designed, or updated by Sony\n* Any product vulnerability that involves device modification or bypassing of security controls inherent to the device in a way that requires ownership, hardware modification, or direct device access\n* Any vulnerability obtained through the compromise of a Sony user or employee account\n\nRecognition:\n---------------------\n\nOnce a report is resolved and closed, the researcher will receive a +1 count on their public profile under “Thanks Received” and be listed on Sony’s HackerOne webpage under “Hackers Thanked.” Sony is also pleased to recognize our security researchers by providing a “Secure@Sony Finder” t-shirt. Sony will use the mailing address provided to HackerOne to provide the t-shirt.\n\nSony will determine, in its sole discretion, whether recognition will be provided, and Sony will only recognize the first researcher to have discovered a specific, and previously unreported, vulnerability. Sony holds the right to withhold recognition for researchers who in the past have violated the processes defined herein.  \nSony is unable to provide a t-shirt if you are a resident of a country that faces United States export sanctions or trade restrictions. Sony assumes shipping costs of a “Finder” t-shirt to the vulnerability submitter. All other country and local taxes or fees are the responsibility of the researcher. All reward decisions by Sony are final.\n\n\nLegal Notice:\n---------------------\n\nIf we conclude, in our sole discretion, that you have complied with the requirements below when reporting a security vulnerability, Sony will not pursue claims against you or initiate a law enforcement investigation in response to your report:\n* You do not cause harm to Sony or our customers;\n* You make a good faith effort to avoid compromising the privacy of our customers or employees, or disrupting the operation of our products, services or IT infrastructure; \n* You do not violate any law; \n* Once you have confirmed a vulnerability, you report it in a timely manner and do not exploit it further; \n* To the extent that you have accessed non-public Sony information in the course of your research, you do not \nmaintain copies of any such information or share any such information with any third party; and\n* You do not publicly disclose or share the vulnerability details without the written permission of Sony.\n\nViolation of these requirements may result in permanent disqualification from the program.\n\nAny activity determined to involve the intentional compromise of the privacy of our customers or employees or the intentional disruption of the operation of our products, services or IT infrastructure will result in permanent disqualification from the program. \n\nWe may collect information that could reasonably be used to identify you (e.g., IP address). Sony uses this information to evaluate a reported vulnerability and protect Sony products, services or information technology infrastructure. \n\nSony reserves the right to modify or terminate this program at any time. \n\n\nScope:\n---------------------\n\nSecurity vulnerabilities that are identified in Sony products or in website domains owned, operated, or controlled by Sony are in scope.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-07-29T14:40:35.563Z"},{"id":3600783,"new_policy":"Our global information security team is working hard to protect Sony's information assets, services and products and the confidentiality of customer information. But we're always willing to accept more help. We recognize the valuable role that the research community plays in enhancing our security posture and welcome the opportunity to partner with you.\n\nThe Secure@Sony program accepts reports of bugs that provide a potential attacker with the ability to compromise the integrity, availability or confidentiality of Sony products, services or information technology infrastructure. Please see below for specific submission criteria.\n\nIf you believe you've found a qualifying security vulnerability in a Sony product or Web site, please submit a report in accordance with the guidelines below. We value the positive impact of your work and thank you in advance for your contribution.\n\nQualifying Vulnerabilities\n---------------------\nThe Secure@Sony team is interested in the following types of vulnerabilities:\n* Cross-Site Scripting (XSS)\n* Cross-Site Request Forgery (CSRF)\n* Unauthorized Cross-Tenant Data Tampering or Access (for multi-tenant services)\n* Insecure Direct Object References\n* Injection Vulnerabilities\n* Authentication Vulnerabilities\n* Server-Side Code Execution\n* Privilege Escalation\n* Significant Security Misconfiguration (when not caused by user)\n* Directory Traversal\n* Information Disclosure\n* Open Redirects\n* Sony Product Vulnerabilities (specific to the Sony designed/controlled components of the product) \n\t\nSony reserves the right to reject any submission that we, in our sole discretion, determine does not meet the above criteria. Submissions that require manipulation of data, network access, or physical attack against Sony offices or data centers and/or social engineering of our service desk, employees or contractors will not be accepted. Submissions that result in the alteration or theft of Sony data, or the interruption or degradation of Sony systems will not be accepted.  \n\nNon-Qualifying Vulnerabilities\n---------------------\nThe following submissions are not accepted by Secure@Sony: \n\n* Clickjacking \n* Logout Cross-Site Request Forgery\n* Involvement of Sony products or corporate technology in Denial of Service attacks [Note: Submissions of specific vulnerabilities will be considered in accordance with the Qualifying Vulnerabilities described above] \n* Descriptive Error Messages\n* Fingerprinting/Banner disclosure on common public services\n* Lack of secure/HTTPOnly flags\n* HTTP Methods\n* SSL Attacks, such as BEAST/BREACH\n* Subdomain takeovers without a complete proof of concept\n* Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML\n* CMS Application updates within 5 business days of release (e.g., WordPress security releases)\n* Bugs requiring exceedingly unlikely user interaction (e.g., requiring a user to manually type in an XSS payload)\n* Vulnerabilities related to networking protocols or industry standards not controlled by Sony,  including flaws that \nimpact outdated browsers and plugins\n* Any Sony-developed software/hardware that is End of Life or no longer supported\n* Any product vulnerability in which the vulnerability is in code or hardware not created, designed, or updated by Sony\n* Any product vulnerability that involves device modification or bypassing of security controls inherent to the device in a way that requires ownership, hardware modification, or direct device access\n* Any vulnerability obtained through the compromise of a Sony user or employee account\n\nRecognition:\n---------------------\n\nOnce a report is resolved and closed, the researcher will receive a +1 count on their public profile under “Thanks Received” and be listed on Sony’s HackerOne webpage under “Hackers Thanked.” Sony is also pleased to recognize our security researchers by providing a “Secure@Sony Finder” t-shirt. Sony will use the mailing address provided to HackerOne to provide the t-shirt.\n\nSony will determine, in its sole discretion, whether recognition will be provided, and Sony will only recognize the first researcher to have discovered a specific, and previously unreported, vulnerability. Sony holds the right to withhold recognition for researchers who in the past have violated the processes defined herein.  \nSony is unable to provide a t-shirt if you are a resident of a country that faces United States export sanctions or trade restrictions. Sony assumes shipping costs of a “Finder” t-shirt to the vulnerability submitter. All other country and local taxes or fees are the responsibility of the researcher. All reward decisions by Sony are final.\n\n\nLegal Notice:\n---------------------\n\nIf we conclude, in our sole discretion, that you have complied with the requirements below when reporting a security vulnerability, Sony will not pursue claims against you or initiate a law enforcement investigation in response to your report:\n* You do not cause harm to Sony or our customers;\n* You make a good faith effort to avoid compromising the privacy of our customers or employees, or disrupting the operation of our products, services or IT infrastructure; \n* You do not violate any law; \n* Once you have confirmed a vulnerability, you report it in a timely manner and do not exploit it further; \n* To the extent that you have accessed non-public Sony information in the course of your research, you do not \nmaintain copies of any such information or share any such information with any third party; and\n* You do not publicly disclose or share the vulnerability details without the written permission of Sony.\n\nViolation of these requirements may result in permanent disqualification from the program.\n\nAny activity determined to involve the intentional compromise of the privacy of our customers or employees or the intentional disruption of the operation of our products, services or IT infrastructure will result in permanent disqualification from the program. \n\nSony reserves the right to modify or terminate this program at any time. \n\n\nScope:\n---------------------\n\nSecurity vulnerabilities that are identified in Sony products or in website domains owned, operated, or controlled by Sony are in scope.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-01-19T00:47:47.790Z"},{"id":3583551,"new_policy":"Our global information security team is working hard to protect Sony's information assets, services and products and the confidentiality of customer information. But we're always willing to accept more help. We recognize the valuable role that the research community plays in enhancing our security posture and welcome the opportunity to partner with you.\n\nThe Secure@Sony program accepts reports of bugs that provide a potential attacker with the ability to compromise the integrity, availability or confidentiality of Sony products, services or information technology infrastructure. Please see below for specific submission criteria.\n\nIf you believe you've found a qualifying security vulnerability in a Sony product or Web site, please submit a report in accordance with the guidelines below. We value the positive impact of your work and thank you in advance for your contribution.\n\nQualifying Vulnerabilities\n---------------------\nThe Secure@Sony team is interested in the following types of vulnerabilities:\n* Cross-Site Scripting (XSS)\n* Cross-Site Request Forgery (CSRF)\n* Unauthorized Cross-Tenant Data Tampering or Access (for multi-tenant services)\n* Insecure Direct Object References\n* Injection Vulnerabilities\n* Authentication Vulnerabilities\n* Server-Side Code Execution\n* Privilege Escalation\n* Significant Security Misconfiguration (when not caused by user)\n* Directory Traversal\n* Information Disclosure\n* Open Redirects\n* Content Spoofing\n* Sony Product Vulnerabilities (specific to the Sony designed/controlled components of the product) \n\t\nSony reserves the right to reject any submission that we, in our sole discretion, determine does not meet the above criteria. Submissions that require manipulation of data, network access, or physical attack against Sony offices or data centers and/or social engineering of our service desk, employees or contractors will not be accepted. Submissions that result in the alteration or theft of Sony data, or the interruption or degradation of Sony systems will not be accepted.  \n\nNon-Qualifying Vulnerabilities\n---------------------\nThe following submissions are not accepted by Secure@Sony: \n\n* Clickjacking \n* Logout Cross-Site Request Forgery\n* Involvement of Sony products or corporate technology in Denial of Service attacks [Note: Submissions of specific vulnerabilities will be considered in accordance with the Qualifying Vulnerabilities described above] \n* Descriptive Error Messages\n* Fingerprinting/Banner disclosure on common public services\n* Lack of secure/HTTPOnly flags\n* HTTP Methods\n* SSL Attacks, such as BEAST/BREACH\n* Subdomain takeovers without a complete proof of concept\n* CMS Application updates within 5 business days of release (e.g., WordPress security releases)\n* Bugs requiring exceedingly unlikely user interaction (e.g., requiring a user to manually type in an XSS payload)\n* Vulnerabilities related to networking protocols or industry standards not controlled by Sony,  including flaws that \nimpact outdated browsers and plugins\n* Any Sony-developed software/hardware that is End of Life or no longer supported\n* Any product vulnerability in which the vulnerability is in code or hardware not created, designed, or updated by Sony\n* Any product vulnerability that involves device modification or bypassing of security controls inherent to the device in a way that requires ownership, hardware modification, or direct device access\n* Any vulnerability obtained through the compromise of a Sony user or employee account\n\nRecognition:\n---------------------\n\nOnce a report is resolved and closed, the researcher will receive a +1 count on their public profile under “Thanks Received” and be listed on Sony’s HackerOne webpage under “Hackers Thanked.” Sony is also pleased to recognize our security researchers by providing a “Secure@Sony Finder” t-shirt. Sony will use the mailing address provided to HackerOne to provide the t-shirt.\n\nSony will determine, in its sole discretion, whether recognition will be provided, and Sony will only recognize the first researcher to have discovered a specific, and previously unreported, vulnerability. Sony holds the right to withhold recognition for researchers who in the past have violated the processes defined herein.  \nSony is unable to provide a t-shirt if you are a resident of a country that faces United States export sanctions or trade restrictions. Sony assumes shipping costs of a “Finder” t-shirt to the vulnerability submitter. All other country and local taxes or fees are the responsibility of the researcher. All reward decisions by Sony are final.\n\n\nLegal Notice:\n---------------------\n\nIf we conclude, in our sole discretion, that you have complied with the requirements below when reporting a security vulnerability, Sony will not pursue claims against you or initiate a law enforcement investigation in response to your report:\n* You do not cause harm to Sony or our customers;\n* You make a good faith effort to avoid compromising the privacy of our customers or employees, or disrupting the operation of our products, services or IT infrastructure; \n* You do not violate any law; \n* Once you have confirmed a vulnerability, you report it in a timely manner and do not exploit it further; \n* To the extent that you have accessed non-public Sony information in the course of your research, you do not \nmaintain copies of any such information or share any such information with any third party; and\n* You do not publicly disclose or share the vulnerability details without the written permission of Sony.\n\nViolation of these requirements may result in permanent disqualification from the program.\n\nAny activity determined to involve the intentional compromise of the privacy of our customers or employees or the intentional disruption of the operation of our products, services or IT infrastructure will result in permanent disqualification from the program. \n\nSony reserves the right to modify or terminate this program at any time. \n\n\nScope:\n---------------------\n\nSecurity vulnerabilities that are identified in Sony products or in website domains owned, operated, or controlled by Sony are in scope.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-24T18:38:10.368Z"},{"id":3577375,"new_policy":"Our global information security team is working hard to protect Sony's information assets, services and products and the confidentiality of customer information. But we're always willing to accept more help. We recognize the valuable role that the research community plays in enhancing our security posture and welcome the opportunity to partner with you.\n\nThe Secure@Sony program accepts reports of bugs that provide a potential attacker with the ability to compromise the integrity, availability or confidentiality of Sony products, services or information technology infrastructure. Please see below for specific submission criteria.\n\nIf you believe you've found a qualifying security vulnerability in a Sony product or Web site, please submit a report in accordance with the guidelines below. We value the positive impact of your work and thank you in advance for your contribution.\n\nQualifying Vulnerabilities\n---------------------\nThe Secure@Sony team is interested in the following types of vulnerabilities:\n* Cross-Site Scripting (XSS)\n* Cross-Site Request Forgery (CSRF)\n* Unauthorized Cross-Tenant Data Tampering or Access (for multi-tenant services)\n* Insecure Direct Object References\n* Injection Vulnerabilities\n* Authentication Vulnerabilities\n* Server-Side Code Execution\n* Privilege Escalation\n* Significant Security Misconfiguration (when not caused by user)\n* Directory Traversal\n* Information Disclosure\n* Open Redirects\n* Content Spoofing\n* Sony Product Vulnerabilities (specific to the Sony designed/controlled components of the product) \n\t\nSony reserves the right to reject any submission that we, in our sole discretion, determine does not meet the above criteria. Submissions that require manipulation of data, network access, or physical attack against Sony offices or data centers and/or social engineering of our service desk, employees or contractors will not be accepted. Submissions that result in the alteration or theft of Sony data, or the interruption or degradation of Sony systems will not be accepted.  \n\nNon-Qualifying Vulnerabilities\n---------------------\nThe following submissions are not accepted by Secure@Sony: \n\n* Clickjacking \n* Logout Cross-Site Request Forgery\n* Involvement of Sony products or corporate technology in Denial of Service attacks [Note: Submissions of specific vulnerabilities will be considered in accordance with the Qualifying Vulnerabilities described above] \n* Descriptive Error Messages\n* Fingerprinting/Banner disclosure on common public services\n* Lack of secure/HTTPOnly flags\n* HTTP Methods\n* SSL Attacks, such as BEAST/BREACH\n* Subdomain takeovers without a complete proof of concept\n* CMS Application updates within 5 business days of release (e.g., WordPress security releases)\n* Bugs requiring exceedingly unlikely user interaction (e.g., requiring a user to manually type in an XSS payload)\n* Vulnerabilities related to networking protocols or industry standards not controlled by Sony,  including flaws that \nimpact outdated browsers and plugins\n* Any Sony-developed software/hardware that is End of Life or no longer supported\n* Any product vulnerability in which the vulnerability is in code or hardware not created, designed, or updated by Sony\n* Any product vulnerability that involves device modification or bypassing of security controls inherent to the device in a way that requires ownership, hardware modification, or direct device access\n* Any vulnerability obtained through the compromise of a Sony user or employee account\n\nRecognition:\n---------------------\n\nOnce a report is resolved and closed, the researcher will receive a +1 count on their public profile under “Thanks Received” and be listed on Sony’s HackerOne webpage under “Hackers Thanked.” Sony is also pleased to recognize our security researchers by providing a “Secure@Sony Finder” t-shirt. Sony will use the mailing address provided to HackerOne to provide the t-shirt.\n\nSony will determine, in its sole discretion, whether recognition will be provided, and Sony will only recognize the first researcher to have discovered a specific, and previously unreported, vulnerability. Sony holds the right to withhold recognition for researchers who in the past have violated the processes defined herein.  \nSony is unable to provide a t-shirt if you are a resident of a country that faces United States export sanctions or trade restrictions. Sony assumes shipping costs of a “Finder” t-shirt to the vulnerability submitter. All other country and local taxes or fees are the responsibility of the researcher. All reward decisions by Sony are final.\n\n\nLegal Notice:\n---------------------\n\nIf we conclude, in our sole discretion, that you have complied with the requirements below when reporting a security vulnerability, Sony will not pursue claims against you or initiate a law enforcement investigation in response to your report:\n* You do not cause harm to Sony or our customers;\n* You make a good faith effort to avoid compromising the privacy of our customers or employees, or disrupting the operation of our products, services or IT infrastructure; \n* You do not violate any law; \n* Once you have confirmed a vulnerability, you report it in a timely manner and do not exploit it further; \n* To the extent that you have accessed non-public Sony information in the course of your research, you do not \nmaintain copies of any such information or share any such information with any third party; and\n* You do not publicly disclose or share the vulnerability details with any third party until Sony confirms that the \nvulnerability has been remediated or you have provided Sony with written notice of a reasonable disclosure deadline that is no shorter than 90 days.\n\nViolation of these requirements may result in permanent disqualification from the program.\n\nAny activity determined to involve the intentional compromise of the privacy of our customers or employees or the intentional disruption of the operation of our products, services or IT infrastructure will result in permanent disqualification from the program. \n\nSony reserves the right to modify or terminate this program at any time. \n\n\nScope:\n---------------------\n\nSecurity vulnerabilities that are identified in Sony products or in website domains owned, operated, or controlled by Sony are in scope.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-05-21T17:20:04.015Z"},{"id":3569706,"new_policy":"Our global information security team is working hard to protect Sony's information assets, services and products and the confidentiality of customer information. But we're always willing to accept more help. We recognize the valuable role that the research community plays in enhancing our security posture and welcome the opportunity to partner with you.\n\nThe Secure@Sony program accepts reports of bugs that provide a potential attacker with the ability to compromise the integrity, availability or confidentiality of Sony products, services or information technology infrastructure. Please see below for specific submission criteria.\n\nIf you believe you've found a qualifying security vulnerability in a Sony product or Web site, please submit a report in accordance with the guidelines below. We value the positive impact of your work and thank you in advance for your contribution.\n\nQualifying Vulnerabilities\n---------------------\nThe Secure@Sony team is interested in the following types of vulnerabilities:\n* Cross-Site Scripting (XSS)\n* Cross-Site Request Forgery (CSRF)\n* Unauthorized Cross-Tenant Data Tampering or Access (for multi-tenant services)\n* Insecure Direct Object References\n* Injection Vulnerabilities\n* Authentication Vulnerabilities\n* Server-Side Code Execution\n* Privilege Escalation\n* Significant Security Misconfiguration (when not caused by user)\n* Directory Traversal\n* Information Disclosure\n* Open Redirects\n* Content Spoofing\n* Sony Product Vulnerabilities (specific to the Sony designed/controlled components of the product) \n\t\nSony reserves the right to reject any submission that we, in our sole discretion, determine does not meet the above criteria. Submissions that require manipulation of data, network access, or physical attack against Sony offices or data centers and/or social engineering of our service desk, employees or contractors will not be accepted. Submissions that result in the alteration or theft of Sony data, or the interruption or degradation of Sony systems will not be accepted.  \n\nNon-Qualifying Vulnerabilities\n---------------------\nThe following submissions are not accepted by Secure@Sony: \n\n* Clickjacking \n* Logout Cross-Site Request Forgery\n* Involvement of Sony products or corporate technology in Denial of Service attacks [Note: Submissions of specific vulnerabilities will be considered in accordance with the Qualifying Vulnerabilities described above] \n* Descriptive Error Messages\n* Fingerprinting/Banner disclosure on common public services\n* Lack of secure/HTTPOnly flags\n* HTTP Methods\n* SSL Attacks, such as BEAST/BREACH\n* Subdomain takeovers without a complete proof of concept\n* CMS Application updates within 5 business days of release (e.g., WordPress security releases)\n* Bugs requiring exceedingly unlikely user interaction (e.g., requiring a user to manually type in an XSS payload)\n* Vulnerabilities related to networking protocols or industry standards not controlled by Sony,  including flaws that \nimpact outdated browsers and plugins\n* Any Sony-developed software/hardware that is End of Life or no longer supported\n* Any product vulnerability in which the vulnerability is in code or hardware not created, designed, or updated by Sony\n* Any product vulnerability that involves device modification or bypassing of security controls inherent to the device in a way that requires ownership, hardware modification, or direct device access\n* Any vulnerability obtained through the compromise of a Sony user or employee account\n\nRecognition:\n---------------------\n\nOnce a report is resolved and closed, the researcher will receive a +1 count on their public profile under “Thanks Received” and be listed on Sony’s HackerOne webpage under “Hackers Thanked.” Sony is also pleased to recognize our security researchers by providing a “Secure@Sony Finder” t-shirt. Sony will use the mailing address provided to HackerOne to provide the t-shirt.\n\nSony will determine, in its sole discretion, whether recognition will be provided, and Sony will only recognize the first researcher to have discovered a specific, and previously unreported, vulnerability. Sony holds the right to withhold recognition for researchers who in the past have violated the processes defined herein.  \nSony is unable to provide a t-shirt if you are a resident of a country that faces United States export sanctions or trade restrictions. Sony assumes shipping costs of a “Finder” t-shirt to the vulnerability submitter. All other country and local taxes or fees are the responsibility of the researcher. All reward decisions by Sony are final.\n\n\nLegal Notice:\n---------------------\n\nIf we conclude, in our sole discretion, that you have complied with the requirements below when reporting a security vulnerability, Sony will not pursue claims against you or initiate a law enforcement investigation in response to your report:\n* You do not cause harm to Sony or our customers;\n* You make a good faith effort to avoid compromising the privacy of our customers or employees, or disrupting the operation of our products, services or IT infrastructure; \n* You do not violate any law; \n* Once you have confirmed a vulnerability, you report it in a timely manner and do not exploit it further; \n* To the extent that you have accessed non-public Sony information in the course of your research, you do not \nmaintain copies of any such information or share any such information with any third party; and\n* You do not publicly disclose or share the vulnerability details with any third party until Sony confirms that the \nvulnerability has been remediated or you have provided Sony with written notice of a reasonable disclosure deadline that is no shorter than 90 days.\n\nViolation of these requirements may result in permanent disqualification from the program.\n\nAny activity determined to involve the intentional compromise of the privacy of our customers or employees or the intentional disruption of the operation of our products, services or IT infrastructure will result in permanent disqualification from the program. \n\nSony reserves the right to modify or terminate this program at any time. \n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-02-26T14:33:42.279Z"}]