Connect with us

Hi, what are you looking for?



Rockstar Games Launches Public Bug Bounty Program

Rockstar Games this week launched a public bug bounty program through HackerOne, after running it in private mode for more than nine months.

Rockstar Games this week launched a public bug bounty program through HackerOne, after running it in private mode for more than nine months.

On the program’s page, the company reveals that the minimum bounty for successful vulnerability submissions is $150, but that researchers can get higher rewards, depending on the severity and complexity of the identified potential vulnerability. However, the company notes that higher bounties may be paid out at its own discretion.

For the time being, researchers are required to look for vulnerabilities only in a specific set of domains operated by the company.

“No authorization is given to test any other web applications, video game titles or mobile applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program,” the company specifies.

At the same time, researchers are encouraged to hunt for bugs in, because the portal is run on top of the Zendesk platform, and because Zendesk also participates in the HackerOne bounty program.

Interested researchers should head to the bug bounty program’s page and go through all of the recommendations and guidelines that the company published there, as submissions that don’t follow those requirements may not qualify for a bounty.

Valid submissions, Rockstar Games says, should include details on the type of issue being reported, the kind of attack, whether it fits a CWE (Common Weakness Enumeration) number, details on the steps necessary to reproduce the issue (issues that can’t be reliably reproduced can’t be fixed, the company notes), info on potential impact of the bug, and details on how a malicious user could potentially benefit from the issue.

“The privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes,” the company also notes.

Advertisement. Scroll to continue reading.

To ensure their submissions qualify for a bounty, the researchers should be the first to submit a vulnerability and avoid publicly disclosing or discussing the vulnerability before or after submitting it. The company also published a list of bugs that are excluded from the program, yet it didn’t say what type of flaws are accepted, most probably because all other types of security issues are.

Rockstar’s bug bounty program has been running in private mode for the past nine months, which allowed the company to resolve “readily identifiable types of vulnerabilities found across their network,” HackerOne says. With over 150 vulnerabilities identified and closed and more than $85,000 in bounties paid, the program is considered a “huge success.”

Related: HackerOne Offers Free Service to Open Source Projects

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.