Connect with us

Hi, what are you looking for?



Rockstar Games Launches Public Bug Bounty Program

Rockstar Games this week launched a public bug bounty program through HackerOne, after running it in private mode for more than nine months.

Rockstar Games this week launched a public bug bounty program through HackerOne, after running it in private mode for more than nine months.

On the program’s page, the company reveals that the minimum bounty for successful vulnerability submissions is $150, but that researchers can get higher rewards, depending on the severity and complexity of the identified potential vulnerability. However, the company notes that higher bounties may be paid out at its own discretion.

For the time being, researchers are required to look for vulnerabilities only in a specific set of domains operated by the company.

“No authorization is given to test any other web applications, video game titles or mobile applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program,” the company specifies.

At the same time, researchers are encouraged to hunt for bugs in, because the portal is run on top of the Zendesk platform, and because Zendesk also participates in the HackerOne bounty program.

Interested researchers should head to the bug bounty program’s page and go through all of the recommendations and guidelines that the company published there, as submissions that don’t follow those requirements may not qualify for a bounty.

Valid submissions, Rockstar Games says, should include details on the type of issue being reported, the kind of attack, whether it fits a CWE (Common Weakness Enumeration) number, details on the steps necessary to reproduce the issue (issues that can’t be reliably reproduced can’t be fixed, the company notes), info on potential impact of the bug, and details on how a malicious user could potentially benefit from the issue.

Advertisement. Scroll to continue reading.

“The privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes,” the company also notes.

To ensure their submissions qualify for a bounty, the researchers should be the first to submit a vulnerability and avoid publicly disclosing or discussing the vulnerability before or after submitting it. The company also published a list of bugs that are excluded from the program, yet it didn’t say what type of flaws are accepted, most probably because all other types of security issues are.

Rockstar’s bug bounty program has been running in private mode for the past nine months, which allowed the company to resolve “readily identifiable types of vulnerabilities found across their network,” HackerOne says. With over 150 vulnerabilities identified and closed and more than $85,000 in bounties paid, the program is considered a “huge success.”

Related: HackerOne Offers Free Service to Open Source Projects

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.