This week, the Rockstar Games has launched a public bug bounty program through the HackerOne. They have been running it in private mode for the last nine months.
On the page of the program, the company said that the minimum bounty for a successful vulnerability submission is $150, but researchers can get higher rewards, depending on severity level and complexity of the identified vulnerability. However, they note that higher bounties may be paid out at their own discretion.
For the time being, the researchers are required to have a look for vulnerabilities only in a limited set of domains operated by the company.
The company specified, “No authorization will be given to test any of the other web applications, video game titles or even mobile applications. No bounties shall be given for any disclosures relating to applications outside the scope of this program.”
At the very same time, the researchers are encouraged to hunt for the bugs in support.rockstargames.com, because that portal is running on top of the Zendesk platform, and since Zendesk also participates in the bounty program of HackerOne.
Interested researchers can head to this bug bounty program’s page and then go through all of the recommendations and guidelines which the company has published there, as submissions which don’t follow these requirements may not qualify for a bounty.
Valid submissions, Rockstar Games says, should also include details on the type of the issue that is being reported, the kind of attack, whether it fits a general CWE (Common Weakness Enumeration) number, details on steps to be taken to reproduce the issue (issues that can’t be reliably reproduced cannot be fixed, the company notes), info on potential impact of the bug, and details on how a malicious user could potentially benefit from the issue.
“The privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes,” the company also notes.