Sony launches bug bounty program – but we’re still not exactly sure what it covers

Secure@Sony initiative shrouded in a veil of ambiguity

February 26 marked the entrance of Sony, one of the world’s biggest technology and entertainment companies, into HackerOne’s public bug bounty program.

Given the Japanese conglomerate’s diverse portfolio of businesses – its operations span consumer electronics, gaming, music, motion pictures, and more – hackers will no doubt be chomping at the bit to discover which of Sony’s many subsidiaries fall within the scope of the HackerOne initiative.

The answer, unfortunately, is ‘We’re not sure’.

Sony’s bug bounty guidelines are explicit when it comes to outlining the qualifying and non-qualifying vulnerabilities – cross-site scripting, SQLi, and directory traversal flaws are all fair game, whereas clickjacking and SSL attacks are not.

However, unlike other bounties, which provide a clear indication of scope, there is a distinct lack of information with regard to exactly which properties are covered under the Secure@Sony program, aside from the sony.com URL that appears at the top of the company’s HackerOne directory page.

While it’s safe to assume that sony.com falls within the program’s remit, can the same be said for the group’s financial services business, Sony Financial Holdings (sonyfh.co.jp)?

How about any of Sony’s major regional subsidiaries around the world (from sony.co.uk to sony.com.ph), or likewise the raft of other Sony-owned enterprises, such as sonypicturestelevision.com (which itself has numerous subsidiaries)?

When asked to provide more information relating to the scope of the initiative, Lisa Gephardt, senior director of corporate communications at Sony, told The Daily Swig: “At this point we are not offering any further comment on our bug bounty program.”

Thanks, but no thanks

Until the ethical hacking community is given more clarity as to which of Sony’s domains are covered, the group’s bug bounty initiative is unlikely to garner the attention it deserves.

Hackers will likely approach the program with caution, amid fears of inadvertently transgressing legal boundaries and risking what could become an expensive lawsuit.

Further frustrations surrounding the group’s bug bounty launch have arisen from the fact that Sony is offering no monetary reward for successfully disclosed vulnerabilities, with the tech giant instead simply promising a +1 count on hackers’ public profile, a listing on the corporation’s HackerOne webpage, and a free t-shirt.

Of course, Sony isn’t the first company to shun financial incentives in its bug bounty program. But in light of the major hack against Sony Pictures in 2014 – which saw the release of a vast amount of employee data as well as pirated copies of new movies – for BugBountyHQ, this was the final twist of the knife: