Sony Launches PlayStation Bug Bounty Program on HackerOne
Sony this week announced the launch of a public PlayStation bug bounty program in partnership with hacker-sourced vulnerability hunting platform HackerOne.
Previously, the company ran a private bug bounty with some researchers only, but says that it has come to realize that the research community plays an important role in improving security, and that the newly launched program builds on that realization.
“We believe that through working with the security research community we can deliver a safer place to play. We have partnered with HackerOne to help run this program, and we are inviting the security research community, gamers, and anyone else to test the security of PlayStation 4 and PlayStation Network,” the company says.
HackerOne community members interested in participating could earn more than $50,000 for critical severity vulnerabilities in PlayStation 4. The minimum amount paid for critical flaws in PlayStation Network is of $3,000.
“PlayStation will determine, in its sole discretion, whether a bounty will be awarded. Reward amounts will differ based on vulnerability severity, as well as the quality of the report. Sony will only award a bounty to the first researcher to have reported a previously unreported, vulnerability,” HackerOne explains.
Domains in scope of the program include *.playstation.net, *.sonyentertainmentnetwork.com, *.api.playstation.com, my.playstation.com, store.playstation.com, social.playstation.com, transact.playstation.com, and wallets.api.playstation.com.
Current released or beta versions of system software are in scope of the program for the PlayStation 4 system, accessories and operating system. However, submissions for previous system software might be accepted on a case by case basis.
PlayStation 1, PlayStation 2, PlayStation 3, PS Vita and PSP or any other hardware, other domains than those mentioned above, corporate IT infrastructure, open source software vulnerabilities public for less than 7 days, and third-party games and applications are not in the scope of the program.
Researchers are required to promptly report the identified vulnerabilities, to provide sufficient details to verify the validity of reports, and allow sufficient time for the reported security flaws to be addressed before disclosing them publicly.
Furthermore, researchers are prohibited from viewing, using, altering, transferring, or accessing any data within the PlayStation environment, as well as from intentionally disrupting the company’s “networks, systems, information, applications, products, or services.”
“Violation of these requirements may result in permanent disqualification from the program, and Sony reserves the right to withhold a bounty from researchers who violate or have violated these requirements in the past,” Sony says.
On the program’s page on HackerOne, Sony also provides details on vulnerabilities that are out-of-scope, as well as on what researchers who participate should expect from the company. The company says it won’t take legal action or file complaints against researchers for accidental, good faith violations of the program’s policy.