PlayStation has announced that it will pay hackers thousands of dollars to uncover vulnerabilities in its network and entertainment products.
PlayStation has been running a private bug bounty programme in collaboration with an elite group of researchers for some time. Now, for the first time in the history of the 26-year-old game console, the public is being asked to report bugs and receive money for them.
The initiative is being conducted in collaboration with the well-known security platform HackerOne.
“Our bug bounty programme offers rewards for various issues, including critical issues on PS4,” said a PlayStation spokesperson. “Critical PS4 vulnerabilities are bounties starting at $50,000.”
The gaming titan launched his PlayStation Bug Bounty programme yesterday morning in the hope of fixing vulnerabilities and providing players with a safer user experience.
A PlayStation spokesperson stated: “We have partnered with HackerOne to help run this programme and we invite the security research community, players and everyone else to test the security of PlayStation 4 and PlayStation Network.
The new programme recognises the high level of skills and ingenuity required to be part of the ethical hacker netiquette.
Under the new programme, vulnerabilities will receive different levels of financial rewards depending on the severity and quality of the report submitted.
While hackers are encouraged to flag bugs in both PlayStation Network and PlayStation 4, higher rewards will be given for bugs found in PlayStation 4. Detecting a critical security vulnerability affecting PlayStation 4 could earn an ethically motivated hacker a nice chunk of money.
PlayStation explained which bugs they were most concerned about: “We are currently interested in reports about the PlayStation 4 system, the operating system, accessories and PlayStation Network.
PlayStation did not specify the maximum amount that can be paid out for a single bug.
Domains that fall within the scope include
- .playstation.net
- .sonyentertainmentnetwork.com
- api.playstation.com
- my.playstation.com
- store.playstation.com
- social.playstation.com
- transact.playstation.com
- wallets.api.playstation.com.
Program Overview According to the Official PlayStation Page
At PlayStation, we strive to be the best place to play, and believe that the security of our environment is fundamental to that goal. We believe that through close partnerships with the security research community we can deliver a safer place to play.
If you find a vulnerability on a Sony asset that is not covered by the PlayStation program, please report it through Sony’s public Vulnerability Disclosure Program.
Scope
We are currently interested in reports on the PlayStation 4 system, operating system, accessories and the PlayStation Network. For PlayStation Network the following domains are in scope:
- *.playstation.net
- *.sonyentertainmentnetwork.com
- *.api.playstation.com
- my.playstation.com
- store.playstation.com
- social.playstation.com
- transact.playstation.com
- wallets.api.playstation.com
For the PlayStation 4 system, accessories and operating system, we will accept submissions on the current released or beta version of system software. PlayStation may at its discretion accept submissions on earlier versions of system software on a case by case basis.
Out-of-Scope
- PlayStation 1, PlayStation 2, PlayStation 3, PS Vita and PSP or any other hardware
- Any domains not explicitly listed in the scope above
- Corporate IT infrastructure
- Open source software vulnerabilities which have been public for less than 7 days
- Software published by third party entities, including games, applications, etc
Responsible Disclosure
PlayStation firmly believes in responsible disclosure and we ask that you:
- Act in good faith, by conducting your activities under this policy, and reporting the vulnerability with us including prompt, insufficient details to determine the validity of the vulnerability and dishonesty.
- Give us reasonable time to remediate vulnerabilities before talking about them publicly and notify us of your disclosure plans in advance. If you would like to disclose a resolved vulnerability, make the request directly in your report. We look forward to disclosing issues that positively contribute to the security community.
- Not view, use, alter, transfer, or access any data (personal or otherwise) within our environment; to immediately notify us of any inadvertent access, viewing, use, alteration, transfer, or storage of data.
- Not intentionally disrupt, and avoid and minimize the impact, degradation or harm to performance and operations of our networks, systems, information, applications, products, or services (no DDoS, form spamming, etc.)
- Otherwise comply with all applicable laws.
- Please note reports closed as Spam, Not Applicable, or Informative may not be approved for disclosure.
- Violation of these requirements may result in permanent disqualification from the program, and Sony reserves the right to withhold a bounty from researchers who violate or have violated these requirements in the past.
- Sony reserves the right to modify or terminate this program at any time.
In return you can expect:
- We will respond within a timely manner
- We authorize good faith activities that conform to this policy, under the Computer Fraud and Abuse Act, and the DMCA, or similar computer access or use laws
- We will not initiate legal action or a complaint against you for accidental, good faith violations of this policy
- We may request additional information from submitters, such as IP address, to assist with the validation and remediation of certain findings.
- If there is any inconsistency between this policy and any other applicable Sony Interactive Entertainment terms, the terms of this policy will prevail
- While we cannot and do not authorize activities under this policy in the name of other parties, to the extent your activities under this policy identify vulnerabilities based on our use or implementation of the networks, systems, information, applications, products, or services of others, we:
- Authorize your good faith activities that conform to this policy, to the extent we have the authority to do so.
- Will not disclose your identity to the third party without your permission
- We will notify the third party of our authorization of your activities under this policy, as necessary.
Out-of-Scope Vulnerabilities
- Social engineering attacks, including those targeting internal employees
- Physical attacks against our infrastructure, facilities and offices
- Scanner output or scanner-generated reports, including any automated or active exploit tool
- Any vulnerability obtained through the compromise of employee account
- Network Vulnerabilities such as account takeover, spam, clickjacking, fingerprinting, breaching and missing security headers
Legal
Sony is unable to award a bounty to researchers who reside in a country that is subject to United States export sanctions or trade restrictions. Sony Interactive Entertainment employees, contractors, service providers, and their family members are not eligible for bounties.
