A couple of years ago, video game developer company Rockstar Games, in partnership with cybersecurity platform HackerOne, launched a vulnerability bounty program to look for security flaws and possible hacking vectors at Grand Theft Auto Online. Ethical hacking experts now report that this program will be extended to Red Dead Redemption 2 (for PC, PS4 and Xbox One), as well as to mobile versions of some of the company’s games.
“We are committed with the privacy and security of our users’ information. We will soon be launching a new bounty program in HackerOne to incentivize researchers’ participation and the search for potential security errors in our products,” the company’s statement says.
The company will pay a minimum fee of $150 USD to researchers who submit reports that fit the parameters of the bounty program. It is important to note that the program is limited to reports of in-game security issues or potential security risks of users’ information, so Rockstar Games will not include in-game bug reports, modifications of hardware (modding) or cheating methods.
According to ethical hacking experts, Rockstar Games has banned hundreds of users for alleged abusive behavior in its online games. Although the company claims that it has never incorrectly or arbitrarily banned any user, the new bounty program provides offers an up to $10k USD payment for any researcher who reports an erroneous ban made by the moderators of the company.
The parameters for a report to be eligible for a bounty were also updated; major modifications include:
- The report must conform to all the terms of the program, no exception
- The report should refer to a previously unreported flaw
- If more than one report on the same flaw is received, the report that was first received will be the first to be considered
- Flaws should not be disclosed by any means before or after submitting reports to Rockstar Games
Besides, ethical hacking experts mention that the company is willing to receive recommendations on new security measures, but the program is fully focused on finding and resolving exploitable security vulnerabilities. In other words, recommendations are welcome, but they are not eligible for rewards.
Vulnerability bounty programs have proven to be success stories in the fight against hackers exploiting vulnerabilities in multiple computer developments, so large companies are turning to this approach to an increasing extent. According to ethical hacking experts from the International Institute of Cyber Security (IICS), during 2018 Microsoft paid more than $2 million USD to researchers who participated in its various vulnerability bounty programs. It is estimated that the figure at the end of 2019 will increase considerably, as the company extended its program to other areas, such as GitHub, open source software used by the European Union, among others.