Sony this week announced the launch of a public PlayStation bug bounty program in partnership with hacker-sourced vulnerability hunting platform HackerOne.
Previously, the company ran a private bug bounty with some researchers only, but says that it has come to realize that the research community plays an important role in improving security, and that the newly launched program builds on that realization.
“We believe that through working with the security research community we can deliver a safer place to play. We have partnered with HackerOne to help run this program, and we are inviting the security research community, gamers, and anyone else to test the security of PlayStation 4 and PlayStation Network,” the company says.
HackerOne community members interested in participating could earn more than $50,000 for critical severity vulnerabilities in PlayStation 4. The minimum amount paid for critical flaws in PlayStation Network is of $3,000.
“PlayStation will determine, in its sole discretion, whether a bounty will be awarded. Reward amounts will differ based on vulnerability severity, as well as the quality of the report. Sony will only award a bounty to the first researcher to have reported a previously unreported, vulnerability,” HackerOne explains.
Domains in scope of the program include *.playstation.net, *.sonyentertainmentnetwork.com, *.api.playstation.com, my.playstation.com, store.playstation.com, social.playstation.com, transact.playstation.com, and wallets.api.playstation.com.
Current released or beta versions of system software are in scope of the program for the PlayStation 4 system, accessories and operating system. However, submissions for previous system software might be accepted on a case by case basis.
PlayStation 1, PlayStation 2, PlayStation 3, PS Vita and PSP or any other hardware, other domains than those mentioned above, corporate IT infrastructure, open source software vulnerabilities public for less than 7 days, and third-party games and applications are not in the scope of the program.
Researchers are required to promptly report the identified vulnerabilities, to provide sufficient details to verify the validity of reports, and allow sufficient time for the reported security flaws to be addressed before disclosing them publicly.
Furthermore, researchers are prohibited from viewing, using, altering, transferring, or accessing any data within the PlayStation environment, as well as from intentionally disrupting the company’s “networks, systems, information, applications, products, or services.”
“Violation of these requirements may result in permanent disqualification from the program, and Sony reserves the right to withhold a bounty from researchers who violate or have violated these requirements in the past,” Sony says.
On the program’s page on HackerOne, Sony also provides details on vulnerabilities that are out-of-scope, as well as on what researchers who participate should expect from the company. The company says it won’t take legal action or file complaints against researchers for accidental, good faith violations of the program’s policy.
Related: HackerOne Says Bug Bounty Hunters Earned $100 Million Through Its Platform
Related: Hacker Earns $8,500 for Vulnerability in HackerOne Platform
Related: Tencent Offers Up to $140,000 for Operating System Vulnerabilities

More from Ionut Arghire
- F5 Working on Patch for BIG-IP Flaw That Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Malicious NPM, PyPI Packages Stealing User Information
- Boxx Insurance Raises $14.4 Million in Series B Funding
- Prilex PoS Malware Blocks NFC Transactions to Steal Credit Card Data
- 30k Internet-Exposed QNAP NAS Devices Affected by Recent Vulnerability
- Guardz Emerges From Stealth Mode With $10 Million in Funding
Latest News
- F5 Working on Patch for BIG-IP Flaw That Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- UK Car Retailer Arnold Clark Hit by Ransomware
- Dealing With the Carcinization of Security
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Cyber Insights 2023 | Supply Chain Security
- Cyber Insights 2023: Regulations
- Cyber Insights 2023: Ransomware
