Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Sony Launches PlayStation Bug Bounty Program on HackerOne

Sony this week announced the launch of a public PlayStation bug bounty program in partnership with hacker-sourced vulnerability hunting platform HackerOne.

Sony this week announced the launch of a public PlayStation bug bounty program in partnership with hacker-sourced vulnerability hunting platform HackerOne.

Previously, the company ran a private bug bounty with some researchers only, but says that it has come to realize that the research community plays an important role in improving security, and that the newly launched program builds on that realization.

“We believe that through working with the security research community we can deliver a safer place to play. We have partnered with HackerOne to help run this program, and we are inviting the security research community, gamers, and anyone else to test the security of PlayStation 4 and PlayStation Network,” the company says.

HackerOne community members interested in participating could earn more than $50,000 for critical severity vulnerabilities in PlayStation 4. The minimum amount paid for critical flaws in PlayStation Network is of $3,000.

“PlayStation will determine, in its sole discretion, whether a bounty will be awarded. Reward amounts will differ based on vulnerability severity, as well as the quality of the report. Sony will only award a bounty to the first researcher to have reported a previously unreported, vulnerability,” HackerOne explains.

Domains in scope of the program include *.playstation.net, *.sonyentertainmentnetwork.com, *.api.playstation.com, my.playstation.com, store.playstation.com, social.playstation.com, transact.playstation.com, and wallets.api.playstation.com.

Current released or beta versions of system software are in scope of the program for the PlayStation 4 system, accessories and operating system. However, submissions for previous system software might be accepted on a case by case basis.

PlayStation 1, PlayStation 2, PlayStation 3, PS Vita and PSP or any other hardware, other domains than those mentioned above, corporate IT infrastructure, open source software vulnerabilities public for less than 7 days, and third-party games and applications are not in the scope of the program.

Researchers are required to promptly report the identified vulnerabilities, to provide sufficient details to verify the validity of reports, and allow sufficient time for the reported security flaws to be addressed before disclosing them publicly.

Furthermore, researchers are prohibited from viewing, using, altering, transferring, or accessing any data within the PlayStation environment, as well as from intentionally disrupting the company’s “networks, systems, information, applications, products, or services.”

“Violation of these requirements may result in permanent disqualification from the program, and Sony reserves the right to withhold a bounty from researchers who violate or have violated these requirements in the past,” Sony says.

On the program’s page on HackerOne, Sony also provides details on vulnerabilities that are out-of-scope, as well as on what researchers who participate should expect from the company. The company says it won’t take legal action or file complaints against researchers for accidental, good faith violations of the program’s policy.

Related: HackerOne Says Bug Bounty Hunters Earned $100 Million Through Its Platform

Related: Hacker Earns $8,500 for Vulnerability in HackerOne Platform

Related: Tencent Offers Up to $140,000 for Operating System Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.