Sony announced this week in collaboration with hacker-sourced vulnerability hunting site HackerOne, the introduction of a public PlayStation bug bounty programme.
Previously, with some researchers alone, the company ran a private bug bounty, but says it has come to realize that the research community plays an important role in improving security, and that the newly launched system builds on that realization.
“We agree that we can provide a safer place to play in by partnering with the security research community. We’ve partnered with HackerOne to help run this program and we’re inviting the security research group, gamers, and anyone else to check the PlayStation 4 and PlayStation Network security, “the company says.
Members of the HackerOne community interested in participating in PlayStation 4 could receive more than $50,000 for critical severity vulnerabilities. The minimum amount paid by PlayStation Network for critical flaws is $3,000.
“PlayStation will, at its sole discretion, determine whether a bounty is being awarded. Reward amounts can vary depending on the severity of the weakness, as well as the report content. Only the first researcher to announce a previously unreported vulnerability will receive a payout from Sony, “notes HackerOne.
Domains in scope of the program include *.playstation.net, *.sonyentertainmentnetwork.com, *.api.playstation.com, my.playstation.com, store.playstation.com, social.playstation.com, transact.playstation.com, and wallets.api.playstation.com.
Current released or beta versions of system software fall within the scope of the PlayStation 4 system, accessories, and operating system program. However, applications may be acknowledged on a case-by – case basis for prior system software.
PlayStation 1, PlayStation 2, PlayStation 3, PS Vita and PSP or any other hardware, territories other than those listed above, corporate IT infrastructure, open source software bugs that have been public for less than 7 days, and third-party games and applications are not protected by this plan.
Researchers are required to report the identified vulnerabilities promptly, provide sufficient details to verify the validity of reports, and allow sufficient time to address the reported security flaws before they are publicly disclosed.
In addition, researchers are prohibited from viewing, using, altering, transferring or accessing any data within the PlayStation environment and from deliberately disrupting the “networks , systems, information, applications, products or services” of the company.
“Violation of these requirements may result in the program being permanently disqualified, and Sony reserves the right to withhold a reward from researchers who have breached or breached these requirements in the past,” Sony says.
Sony also provides details on out-of-scope vulnerabilities on the program’s HackerOne page, as well as on what researchers involved should expect from the firm. The company says it will not take legal action or file complaints about accidental, good faith violations of program policy against researchers.