Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Sony Launches PlayStation Bug Bounty Program on HackerOne

Sony this week announced the launch of a public PlayStation bug bounty program in partnership with hacker-sourced vulnerability hunting platform HackerOne.

Sony this week announced the launch of a public PlayStation bug bounty program in partnership with hacker-sourced vulnerability hunting platform HackerOne.

Previously, the company ran a private bug bounty with some researchers only, but says that it has come to realize that the research community plays an important role in improving security, and that the newly launched program builds on that realization.

“We believe that through working with the security research community we can deliver a safer place to play. We have partnered with HackerOne to help run this program, and we are inviting the security research community, gamers, and anyone else to test the security of PlayStation 4 and PlayStation Network,” the company says.

HackerOne community members interested in participating could earn more than $50,000 for critical severity vulnerabilities in PlayStation 4. The minimum amount paid for critical flaws in PlayStation Network is of $3,000.

“PlayStation will determine, in its sole discretion, whether a bounty will be awarded. Reward amounts will differ based on vulnerability severity, as well as the quality of the report. Sony will only award a bounty to the first researcher to have reported a previously unreported, vulnerability,” HackerOne explains.

Domains in scope of the program include *.playstation.net, *.sonyentertainmentnetwork.com, *.api.playstation.com, my.playstation.com, store.playstation.com, social.playstation.com, transact.playstation.com, and wallets.api.playstation.com.

Current released or beta versions of system software are in scope of the program for the PlayStation 4 system, accessories and operating system. However, submissions for previous system software might be accepted on a case by case basis.

PlayStation 1, PlayStation 2, PlayStation 3, PS Vita and PSP or any other hardware, other domains than those mentioned above, corporate IT infrastructure, open source software vulnerabilities public for less than 7 days, and third-party games and applications are not in the scope of the program.

Advertisement. Scroll to continue reading.

Researchers are required to promptly report the identified vulnerabilities, to provide sufficient details to verify the validity of reports, and allow sufficient time for the reported security flaws to be addressed before disclosing them publicly.

Furthermore, researchers are prohibited from viewing, using, altering, transferring, or accessing any data within the PlayStation environment, as well as from intentionally disrupting the company’s “networks, systems, information, applications, products, or services.”

“Violation of these requirements may result in permanent disqualification from the program, and Sony reserves the right to withhold a bounty from researchers who violate or have violated these requirements in the past,” Sony says.

On the program’s page on HackerOne, Sony also provides details on vulnerabilities that are out-of-scope, as well as on what researchers who participate should expect from the company. The company says it won’t take legal action or file complaints against researchers for accidental, good faith violations of the program’s policy.

Related: HackerOne Says Bug Bounty Hunters Earned $100 Million Through Its Platform

Related: Hacker Earns $8,500 for Vulnerability in HackerOne Platform

Related: Tencent Offers Up to $140,000 for Operating System Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...