Sony bug bounty program: explanation and rewards
In collaboration with the HackerOne online security platform, Sony introduced its bug bounty program that encourages users to detect bugs and security breaches in the Playstation 5, PlayStation 4, and PlayStation Network. Those who report the most serious vulnerabilities can receive $50,000 or more. Want to know more details?
What is the Sony bug bounty program?
The Sony bug reward program had been running privately for some cybersecurity researchers. However, the company decided to open it up to the general public to strengthen the security of its products with the help of the community and thus “provide a better gaming experience", said Sony Interactive Entertainment's (SIE) Senior Director of Software Engineering, Geoff Norton, on the corporate blog.
What are the rewards?
PlayStation assesses the severity of the reported vulnerability and the quality of the report to determine if there is a reward. However, through the platform, you can see that over $175,000 has already been paid out. It is worth mentioning that Sony only awards money to the first person who reports a security breach that has never been reported before.
The rewards are categorized as follow:
- Critical level: $50,000
- High level: $10,000
- Medium level: $2,500
- Low level: $500
PlayStation 4
- Critical level: $50,000
- High level: $10,000
- Medium level: $2,500
- Low level: $500
PlayStation Network
- Critical level: $3,000
- High level: $1,000
- Medium level: $400
- Low level: $100
Sony will not consider vulnerabilities found in PlayStation 1, PlayStation 2, PlayStation 3, PS Vita, PSP, other accessories, domains, or third-party software. Additionally, as part of the partnership between PlayStation and HackerOne, payments are made by the online error reward platform.
Who can participate?
Currently, the Bug Bounty program is aimed at the gaming community, researchers, and anyone who wants to test the PlayStation 5/4 and PlayStation Network security system. But, of course, this excludes SIE employees, contractors, service providers, and families.
Products and services
1. The PlayStation 5 and Playstation 4 consoles, operating system, and hardware (either the current or beta version of the software). Depending on each case, PlayStation could evaluate the possibility of accepting reports on previous versions.
2. The following domains of the PlayStation Network platform:
- .playstation.net
- .sonyentertainmentnetwork.com
- .api.playstation.com
- my.playstation.com
- store.playstation.com
- social.playstation.com
- transact.playstation.com
- wallets.api.playstation.com
Find out more about PlayStation's 'Bug Bounty Program' policy here.
How do you report vulnerabilities?
If you find a vulnerability bug, you can submit a report from the HackerOne platform:
- First, create an account and log in.
- Then go to the program's website and click on Submit report to submit your report.
- Remember to provide enough details for HackerOne to check the validity of the vulnerability. In addition, the platform may ask you for additional information.
Important: As part of the Bug Bounty program, PlayStation relies on the good faith of researchers, users, and hackers and therefore requests that they do not access, use or transfer any information they may find. For more information on responsible vulnerability disclosure, consult the dedicated page.