Sony have recently launched their bug bounty program for PlayStation. Security researchers and bug bounty hunters can now report any bugs affecting PlayStation-related devices expecting great rewards.
PlayStation Bug Bounty Program
Reportedly, Sony has recently introduced a dedicated bug bounty program covering PlayStation related devices.
The program launched on HackerOne – the popular bug bounty platform – will cover vulnerabilities affecting PlayStation 4 console, operating system, and related accessories, as well as the PlayStation Network.
However, any bugs in PlayStation 1, 2, and 3 are out of the scope of this program.
Regarding the scope, Sony has listed the following domains included in this program.
- *.playstation.net
- *.api.playstation.com
- *.sonyentertainmentnetwork.com
- playstation.com
- playstation.com
- api.playstation.com
- playstation.com
- playstation.com
Any domains not included in this list will also not qualify for the bug bounty.
Sony Sets Rewards Up To $50K
Sony has explicitly stated that they will reward bug bounty to the researcher who first reports a previously unreported flaw.
Whereas, regarding the bounty, Sony has set up two tiers of rewards separately covering the vulnerabilities in PlayStation 4 and PlayStation Network.
For PlayStation 4, the rewards start from $100 for low severity bugs to $400, $1000, and $5000 for medium, high, and critical severity bugs, respectively.
Whereas, for PlayStation Network, they have set up relatively higher bounties. Specifically, these include $500, $2500, $10,000, and $50,000 for low, medium, high, and critical vulnerabilities, respectively.
Though, they have explicitly listed the following vulnerabilities as out-of-scope of this bounty program.
- Physical attacks involving the vendor’s infrastructure and offices
- Social engineering attacks
- Scanner output or scanner-generated reports, including any automated or active exploit tool
- Bugs arising or linked with the compromise of employee accounts
- Network Vulnerabilities, such as account takeovers, clickjacking, spam, login/logout CSRF, fingerprinting, lack of security headers, and protocol level attacks.
Whereas, what qualifies if any vulnerability affecting the domains listed above, and the hardware or IoT related to PS4.
Earlier this year, Microsoft also announced a bug bounty program for Xbox offering up to $20,000 as a reward.