Rockstar Games launches first public bug bounty programme

March 6, 2017 // 12:01 p.m.

Tags: #bug-bounty #grand-theft-auto #grand-theft-auto-v #gtav #hackerone #insecurity #rockstar #rockstar-games #security #vulnerability

Rockstar Games has launches its first public security vulnerability bounty programme, in partnership with HackerOne, but it's not asking for help securing its games; instead, it's concentrating on its websites.

Those who have played Rockstar's Grand Theft Auto V multiplayer will be all-too-familiar with griefers and hackers who exploit the game in order to spoil the fun for everyone. From miniguns that shoot cash and invulnerable griefers to stealing player's cash in a game that allows you to spend real-world money, Rockstar's own forum is filled with tales of woe - but the company's first public bug bounty programme ignores issues with its online gaming platform in favour of shoring up its websites instead.

Run on the HackerOne bug bounty platform, Rockstar's vulnerability bounty programme has been operating in private for around nine months before being opened to the public late last week. Under the programme, HackerOne members can test the security of Rockstar's services and submit reports of vulnerabilities in exchange for cash payouts - a minimum of $150 per valid report, the company claims, though some contributors have received upwards of $1,200 depending on the severity of the flaw and the amount of information provided. The average bounty paid out so far, the site claims, is $500.

Sadly, none of the reports have anything to do with Rockstar's games. 'No authorisation is given to test any other web applications, video game titles or mobile applications,' the company has explained in the programme's rules. 'No bounties will be given for any disclosures relating to any applications outside the scope of this program.'

The services that are covered? Rockstar's websites, ranging from its main www.rockstargames.com domain to the Rockstar Social Club, lifeinvader.com, rockstarnort.com, and various domains associated with telemetry reception and patch distribution. Even then, only selected reports will be accepted: the company has expressly excluded any issues involving physical access, social engineering, denial of service, third-party site involvement, and various concerns regarding its implementations - or lack thereof - of security features such as strict transport security and perfect forward secrecy.

Full information on the bounty programme, which has so far paid out nearly $90,000, is available on the HackerOne page.
Discuss this in the forums

QUICK COMMENT

SUBSCRIBE TO OUR NEWSLETTER

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU