52235 policies in database
Link to program      
2017-03-02
2020-04-07
Rockstar Games logo
Thank
Gift
HOF
Reward

Reward

150 $ 

Rockstar Games

Statement

We are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.

Rewards

Our minimum bounty for successful vulnerability submissions is $150. Please refer to the table below for bounty ranges based on report severity. All bounties will ultimately be paid out at our discretion based on severity, likelihood, and impact.

Bounty Table:

|Severity |Examples |Typical Bounty Range|

--- | --- | ---

|Informational|Text injection, non-impactful CSRF, non-sensitive Information Disclosure, Brute Force| $0|

|Low|Open Redirects, CSRF, XSS with low impact, domain takeover of unused domain, Social Club account privacy issues (highly variable)| $150-$500|

|Medium|Reflected/DOM-based XSS, cache poisoning, SSRF| $500-$1,000|

|High|Stored XSS, local privilege escalation, full authentication bypass| $750-$1,500|

|Critical|SQL injection, remote code execution|$2,500-$25,000+*|

*: Bounty will vary widely based on severity, likelihood, and impact.

Scope

The current scope is limited to the domains and applications listed below. No authorization is given to test any other video game titles, web applications, mobile applications, or desktop applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program. For more information about testing video game titles and other particular applications, please see our statement below regarding our private program.

Responsible Disclosure and Guidelines

For your submission to qualify for a bounty, you must:

  • Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program

  • Be the first to submit this particular vulnerability

  • Not disclose or discuss the vulnerability outside of this program before or after submitting it

Eligibility

When submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty.

The following attributes are expected in a valid submission:

  • The type of issue being reported. What kind of attack, does it fit a CWE number, etc.

  • Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it

  • What is the potential impact of the bug?

  • How could a malicious user potentially benefit from this issue?

  • For reports on the domain 'support.rockstargames.com', if you must make test posts in the forums, you must include "test" in the title. Failure to do so may result in your tests being deleted and your report marked "Ineligible for Bounty"

Exclusions

Bugs that are outside the scope or guidelines detailed here are not eligible for this program.

The privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.

The following attributes would invalidate any submitted vulnerabilities:

  • Attacks involving physical access to a user's device, Rockstar property or data centers

  • Social engineering of users, Rockstar staff or contractors

  • Denial-of-service attacks

  • Bugs in 3rd party authentications (attacks specifically against our implementation are fine)

  • Results from automated tools without any manual confirmation

  • Bugs affecting 3rd party sites that consume data from Social Club

  • Any similar action that interferes with a user's privacy, security or experience

The following sorts of technical issues are also excluded:

• Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options

• SSL/TLS configuration issues, such as: Perfect Forward Secrecy not supported, TLSv1.0 / 1.1

• Strict transport security (HSTP/HSTS) is not enforced

• Lack of HTTPOnly or secure flag on non-session cookies

• CSRF token verification missing from pages (unless you can do something impactful with the request)

• Autocomplete enabled

• Banner disclosures

• Session timeout/expiration issues

• Window.opener issues

• Clickjacking

• Invalid or stale employee credential dumps - we already monitor haveibeenpwned.com and other sources for dumps of this nature

• Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)

• Text / content injection

• Email spoofing directly or as it ties to any of our contact forms

• Rate-limiting, brute-forcing, and/or credential stuffing on endpoints

• Generic error messages

• Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)

• Attacks that only work against yourself (e.g. host header injection, self-XSS, control-character injection)

• Account-age issues on support.rockstargames.com

• Issues regarding user-driven configurations of third-party authentication systems (e.g. 2FA not applying to such logins despite our notice here)

• Recently released zero day vulnerabilities. Please give us time to patch.

Finally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. Recommendations for new controls or technologies are welcome, but they will be marked as Ineligible For Bounty unless they are accompanied by a valid exploit. Thank you!


Additional Opportunity: Private In-Game Bug Bounty Program

In order to help ensure the best quality experience for our players, we are working with the HackerOne community of security researchers to help us identify potential vulnerabilities in our games and non-web applications that have previously been out-of-scope. We will be accepting such reports through our private bounty program only; not on the public program you are currently visiting.

Before participating, please take careful note of the following rules. If your research does not follow these rules we cannot verify your report and your work will not be eligible for payment:

The privacy, security and experience of our users are of the utmost importance. Under no circumstances may any of your testing negatively affect our users in any way

  • Bans received while testing for issues will not be reversed

  • You may only use your own account(s) for testing

  • Reports with no security impact will be closed

  • Please do not report the following types of issues through this program:

  • General game bugs

  • Glitches (e.g. car duplication, wall hacks, etc.). If your issue can only be performed solely on a controller, it's probably a glitch

  • Specific cheaters, mods, or mod developers, nor does this program apply to links to cheating forums, discords, social media handles, or any other references to known cheat / modding resources

The scope of the in-game bounty is currently limited to:

  • Grand Theft Auto V and Grand Theft Auto Online on the following platforms:

  • PS4

  • Xbox One

  • PC

  • Red Dead Redemption 2 and Red Dead Online on the following platforms:

  • PS4

  • Xbox One

  • PC

  • Red Dead Redemption 2 Companion App

  • iFruit Mobile App

In addition to the in-game bounty, we are still accepting reports for the targeted Incorrect Ban Bounty campaign, described in more detail further below.

In order to participate in either the in-game bounty or in the Targeted Bounty: GTA Online and Red Dead Online - Incorrect Ban Bounty campaign, please submit our enrollment form and await an invitation to our private bounty program. We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.


Targeted Opportunity: GTA Online and Red Dead Online - Incorrect Ban Bounty


We occasionally receive support tickets from people who have been suspended for cheating in Grand Theft Auto Online or Red Dead Online, denying that any cheating took place and claiming a “false-positive”. We take these claims seriously and investigate them thoroughly. However, we have yet to find any evidence to support these claims.

We are offering a $10,000 bounty for any researcher who can successfully identify a reproducible incorrect ban in GTA Online or Red Dead Online. The types of activities that people have claimed (but we do not believe) to have caused bans include: using legitimate visual overlays (e.g. FPS) or audio chat integrations, other players spamming the in-game reporting system and having cash/rank forced on them by modders, but please do not limit yourselves to investigating these methods.

Our focus is on continuing to ensure that our anti-cheat system does not ban anyone who is playing the game normally and consistently with our terms of service. Any reports that are inconsistent with the spirit of what we are focused on will be ineligible for a bounty and closed. Furthermore, no complaints or commentary about existing bans will be reviewed. Note that bans incurred as a result of violating our terms of service will not be reversed. However, if anybody were to successfully illustrate a reproducible inappropriate ban, any banned test accounts would of course be restored.

As stated above, in order to participate please submit our enrollment form and await an invitation to our private bounty program. We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.

In Scope

Scope Type Scope Name
application

Rockstar Games Launcher

web_application

support.rockstargames.com

web_application

lifeinvader.com

web_application

rockstarnorth.com

web_application

*.rockstargames.com

web_application

socialclub.rockstargames.com

web_application

prod.ros.rockstargames.com

web_application

store.rockstargames.com

Out of Scope

Scope Type Scope Name
web_application

faspex.rockstargames.com

web_application

emailcontent.rockstargames.com

web_application

bomgar.rockstargames.com


Firebounty have crawled on 2017-03-02 the program Rockstar Games on the platform Hackerone.

FireBounty © 2015-2024

Legal notices | Privacy policy