Do you think you have found a vulnerability in the Sony PlayStation 4 or the PlayStation Network?

If so, you could be heading towards a sizeable sum of money. That’s because Sony announced details of a new bug bounty program that it is running in co-ordination with vulnerability-reporting platform HackerOne.

Sony is inviting security researchers, gamers and anyone else who is interested to “test the security of PlayStation 4 and PlayStation Network.”

Before now, Sony has been running a private invitation-only bug bounty program with some security researchers, but it says that it now believes the best way to enhance security is to embrace the wider community.

To encourage testing by more people, the bug bounty program will be offering rewards for different levels of responsibly disclosed vulnerabilities, reaching over $50,000 for previously unknown critical vulnerabilities on the PS4.

Of course, there are some rules.

Bounty rewards will differ in size depending on the severity of the vulnerability and the quality of the report (both of which will be determined by Sony). For a low-severity vulnerability on PlayStation Network, for instance, you might only receive a reward of $100, ramping up to a minimum of $3,000 for details of a high-severity security problem.

On the PlayStation 4 itself, the numbers increase rapidly to in excess of $50,000 for the most critical reports.

If you fancy your chances reporting a PlayStation Network vulnerability, then you need to be aware that only the following domains are in scope for a reward:

  • *.playstation.net
  • *.sonyentertainmentnetwork.com
  • *.api.playstation.com
  • my.playstation.com
  • store.playstation.com
  • social.playstation.com
  • transact.playstation.com
  • wallets.api.playstation.com

That doesn’t mean you have free reign to spam those sites or to launch distributed denial-of-service (DDoS) attacks against them. Intentionally disrupting Sony’s operations (Read more...)