Sony, in collaboration with security platform HackerOne, has announced the PlayStation Bug Bounty Program and is inviting security research community, gamers, and anyone else to test the security of PlayStation 4 and PlayStation Network.
"Our bug bounty program has rewards for various issues, including critical issues on PS4. Critical vulnerabilities for PS4 have bounties starting at $50 000 (about R860 000)," said Geoff Norton Senior Director Software Engineering at SIE in a statement on a blog post.
We believe that through working with the security research community we can deliver a safer place to play, Norton added.
"To date, we have been running our bug bounty program privately with some researchers. We recognise the valuable role that the research community plays in enhancing security, so we’re excited to announce our program for the broader community."
According to the HackerOne page, nearly R3 million in total bounties have been paid out to individuals who have successfully found bugs in the system. The average bounty is $400 (approximately R7000).
A total of 449 reports were received in the last 90 days and 89 reports have been resolved.
Out-of-Scope vulnerabilities include social engineering attacks, physical attacks against infrastructure, facilities and offices, scanner output or scanner-generated reports and any vulnerability obtained through the compromise of employee account.
Network Vulnerabilities include account takeover (PLA, User enumeration, etc), spam, clickjacking, Login/logout CSRF, fingerprinting, error message disclosure, protocol level attacks (e.g BEAST/BREACH) and lack of security headers, httponly flags, etc.
"PlayStation will determine, in its sole discretion, whether a bounty
will be awarded. Reward amounts will differ based on vulnerability
severity, as well as the quality of the report. Sony will only award a
bounty to the first researcher to have reported a previously unreported,
vulnerability," said PlayStation.