Sony PlayStation 4 is one of the most widely used gaming consoles. The other major competitor is the Xbox One by Microsoft. Being a gaming console doesn’t mean that it is free from exploitable vulnerabilities. The recent rise of cyber attacks on different platforms has pushed Sony to roll out bug bounty programs.
Introduction of the Bug Bounty Program
Accepted Vulnerabilities
Sony has released a list of accepted vulnerabilities that are accepted for the bug bounty program. The domains that are in scope for vulnerabilities in regard to the PlayStation Network are:
- *.playstation.net
- *.sonyentertainmentnetwork.com
- *.api.PlayStation.com
- my.playstation.com
- store.playstation.com
- social.playstation.com
- transact.playstation.com
- wallets.api.playstation.com
If you have a look at the domains mentioned in this list, all these deal with the core aspects of the PlayStation Network. External links and ads to other sites aren’t included unless they interact with the domain. Sony accepts reports on the PlayStation 4 system, operating system, and accessories when it comes to the console. The vulnerabilities include
Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Unauthorized Cross-Tenant Data Tampering or Access (for multi-tenant services)
- Insecure Direct Object References
- Injection Vulnerabilities
- Authentication Vulnerabilities
- Server-Side Code Execution
- Privilege Escalation
- Significant Security Misconfiguration (when not caused by user)
- Directory Traversal
- Information Disclosure
- Open Redirects
- Sony Product Vulnerabilities (specific to the Sony designed/controlled components of the product)
Read More: How To Create Strong Passwords
Out of Scope Vulnerabilities
Sony doesn’t accept vulnerabilities about any other Playstation Network domain other than the 8 ones that are mentioned. Extra information about open-source vulnerabilities that have been made public for less than 7 days is also not accepted. Sony also doesn’t accept social engineering attacks aimed at internal employees, physical attacks, scanner reports including any automated exploitation tool. Network vulnerabilities are exploited by DDoS attacks, clickjacking, and HTTP flags among others.
Rewards
Until this point, the average bounty offered is 400$ and the total payout last disclosed was 177,500$. Sony has promised up to 50,000$ for severe vulnerabilities dealing with the PS4 and 3000$ for those to do with the PlayStation Network. The highest disclosed bounty so far is for 10,000$ was one to do with the exploitation of the Webkit browser engine. The vulnerability had a severity score of 7-8.9.
Read More: All About Bug Bounty Hunting
Webkit Browser Engine Exploitation
Similarly, the Play station 5 is launched, this year is also expected to follow suit by rolling out a similar program immediately after the launch. This translates into continuous opportunities for those familiar and well-knowledged in the inner workings of the console and their gaming network.
Interested to learn more about the various bug bounty programs and their top contributors? Follow our blog to keep yourself updated with the latest trends in cybersecurity.Â
contributor: