Skip to content ↓ | Skip to navigation ↓

Do you think you have found a vulnerability in the Sony PlayStation 4 or the PlayStation Network?

If so, you could be heading towards a sizeable sum of money. That’s because Sony announced details of a new bug bounty program that it is running in co-ordination with vulnerability-reporting platform HackerOne.

Sony is inviting security researchers, gamers and anyone else who is interested to “test the security of PlayStation 4 and PlayStation Network.”

Before now, Sony has been running a private invitation-only bug bounty program with some security researchers, but it says that it now believes the best way to enhance security is to embrace the wider community.

To encourage testing by more people, the bug bounty program will be offering rewards for different levels of responsibly disclosed vulnerabilities, reaching over $50,000 for previously unknown critical vulnerabilities on the PS4.

Of course, there are some rules.

Bounty rewards will differ in size depending on the severity of the vulnerability and the quality of the report (both of which will be determined by Sony). For a low-severity vulnerability on PlayStation Network, for instance, you might only receive a reward of $100, ramping up to a minimum of $3,000 for details of a high-severity security problem.

On the PlayStation 4 itself, the numbers increase rapidly to in excess of $50,000 for the most critical reports.

If you fancy your chances reporting a PlayStation Network vulnerability, then you need to be aware that only the following domains are in scope for a reward:

  • *.playstation.net
  • *.sonyentertainmentnetwork.com
  • *.api.playstation.com
  • my.playstation.com
  • store.playstation.com
  • social.playstation.com
  • transact.playstation.com
  • wallets.api.playstation.com

That doesn’t mean you have free reign to spam those sites or to launch distributed denial-of-service (DDoS) attacks against them. Intentionally disrupting Sony’s operations or causing any harm is not going to win you any friends, let alone financial rewards.

And don’t think that you’ll be able to report vulnerabilities in Sony’s older gaming hardware (such as earlier versions of the PlayStation, the PS Vita, or the PSP) or flaws found on the PlayStation 4 if it is not running the current beta version of its system software.

Sony does not want you to be testing its corporate IT infrastructure. I imagine that it has internal security teams and expert third-party firms who help it with that kind of work. The last thing they would want is every man and his dog trying to hack into their corporate email servers.

That’s not to say that Sony might not be interested if you find vulnerabilities that aren’t covered by the rules of the PlayStation bug bounty program. It’s just that you will have to report them via a separate bug bounty process and play by its rules.

But if you do find a critical vulnerability in PlayStation 4 or the PlayStation Network, you could find yourself on the receiving end of a substantial reward – provided you are prepared to work together with Sony, giving them time to remediate any problems before you go public about it.

For full details of what you can do, what you can’t do, and how you might be rewarded for it, go check out the Sony PlayStation bug bounty page at HackerOne.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.