Banner object (1)

Hack and Take the Cash !

756 bounties in database
Rockstar Games logo


150 $ 

Rockstar Games


We are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.


Our minimum bounty for successful vulnerability submissions is $150. Depending on the severity and complexity of the identified potential vulnerability, higher bounties may be paid out at our discretion.


The current scope is limited to the domains listed below. No authorization is given to test any other web applications, video game titles or mobile applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program.

We encourage you to hunt for bugs in, which is run on top of the Zendesk platform. Zendesk also participates in the HackerOne bounty program; see this page for details and to report Zendesk vulnerabilities: Zendesk Bug Bounty.

Please note that game bugs, glitches or exploits are not part of the bug bounty program, but can still be submitted on our support site at: __

Responsible Disclosure and Guidelines

When submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty.

The following attributes are expected in a valid submission:

  • The type of issue being reported. What kind of attack, does it fit a CWE number, etc.
  • Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it.
  • What is the potential impact of the bug?
  • How could a malicious user potentially benefit from this issue?


For your submission to qualify for a bounty, you must:

  • Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program.
  • Be the first to submit this particular vulnerability.
  • Not publicly disclose or discuss the vulnerability before or after submitting it.
  • For reports on the domain '', if you must make test posts in the forums, you must include "test" in the title. Failure to do so may result in your tests being deleted and your report marked "Ineligible for Bounty".


Bugs that are outside the scope or guidelines detailed here are not eligible for this program.

The privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.

The following attributes would invalidate any submitted vulnerabilities:

  • Attacks involving physical access to a user's device, Rockstar property or data centers
  • Social engineering of users, Rockstar staff or contractors
  • Denial-of-service attacks
  • Bugs in 3rd party authentications (attacks specifically against our implementation are fine)
  • Results from automated tools without any manual confirmation
  • Bugs affecting 3rd party sites that consume data from Social Club
  • Any similar action that interferes with a user's privacy, security or experience

Additionally, the following sorts of technical issues are also excluded:

  • Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options
  • SSL/TLS configuration issues, such as: Perfect Forward Secrecy not supported, TLSv1.0 / 1.1
  • Strict transport security (HSTP/HSTS) is not enforced
  • Lack of HTTPOnly or secure flag on non-session cookies
  • CSRF token verification missing from pages (unless you can do something impactful with the request)
  • Autocomplete enabled
  • Banner disclosures
  • Session timeout
  • Window.opener issues
  • Clickjacking
  • Nickname/gamertag enumeration
  • Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)
  • SSO /auth/Home/SetCookie?token query string information disclosure (Unless you can demonstrate a compelling way to exploit this to hijack a user's account or bypass authentication)
  • Text / content injection
  • Email spoofing directly or as it ties to any of our contact forms
  • Insecure crossdomain.xml policy on
  • DNSSEC configuration
  • Ability to add hyperlinks to player feed, friend requests, etc.

  • Rate-limiting on endpoints

  • Password re-use attacks, in general
  • Generic error messages
  • Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)
  • Control-character injection (unless you can do something impactful against users other than yourself)
  • Attacks that only work against yourself (e.g. host header injection, self-XSS)
  • Account-age issues on
  • Recently released zero day vulnerabilities. Please give us time to patch.

Finally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. Recommendations for new controls or technologies are welcome, but they may be marked as Ineligible For Bounty unless they are accompanied by a valid exploit. Thank you!

New Opportunity: Grand Theft Auto Online - Incorrect Ban Bounty

We occasionally receive support tickets from people who have been suspended for cheating in Grand Theft Auto Online, denying that any cheating took place and claiming a “false-positive”. We take these claims seriously and investigate them thoroughly. However, we have yet to find any evidence to support these claims.

We are offering a $10,000 bounty for any researcher who can successfully identify a reproducible incorrect ban in Grand Theft Auto Online. The types of activities that people have claimed (but we do not believe) to have caused bans include: using legitimate visual overlays (e.g. FPS) or audio chat integrations, other players spamming the in-game reporting system and having cash/rank forced on them by modders, but please do not limit yourselves to investigating these methods.

The privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.

The rules of this targeted bounty are simple:

  1. You must only be working with your own Social Club accounts that you register with this bounty program prior to any testing (see details below).

  2. You must show that the banned account was using an unaltered, retail copy of Grand Theft Auto V on PC.

  3. The ban must not be the result of any deliberate attempts to modify the game or the test account. On the PC where the ban occurs you must not be using:

a. custom code

b. esoteric software where we cannot verify the author or their (innocuous) intent

c. mods or other software designed to give an unfair advantage in video games

d. debuggers, disassemblers, real-time memory editors, instrumentation tools, etc.

  1. You must not negatively impact the game-play experience of other players while researching this bounty.

  2. We must be able to both independently reproduce the steps and verify the ban on your test account.

Our focus is on continuing to ensure that our anti-cheat system does not ban anyone who is playing the game normally and consistently with our terms of service. Any reports that are inconsistent with the spirit of what we are focused on will be ineligible for a bounty and closed. Furthermore, no complaints or commentary about existing bans will be reviewed. Note that bans incurred as a result of violating our terms of service will not be reversed. However, if anybody were to successfully illustrate a reproducible inappropriate ban, any banned test accounts would of course be restored.

In order to participate in this bounty, please submit our enrollment form __and await an invitation to our private VIP bounty program. We will not accept reports pertaining to this targeted bounty that are submitted to this program page.

Hall of Fame

List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2019