Big software companies and security (How Sony should handle hacking)

Today I did an interesting experiment. As you may or may not know, big software companies have to handle security issues with many techniques. One of the techniques used recently is known as “bug bounties”.

The idea is to pay independent security researchers/hackers who report vulnerabilities and bugs in critical programs (browsers, websites, applications,…), before they are disclosed publicly. In general, anybody who’s not an employee of these companies can participate. There are even a few example of junior high school kids who get pretty good amounts of money for reporting such security issues.

So what I did is look for the “bug bounty” programs of a few big projects/companies, and looked for the first results:

Facebook offers in general 500$ for a vulnerability report

Google offers between 100$ and 1337$ for such reports

Mozilla offers up to $3000 for security bugs

Microsoft doesn’t have a bounty program but organizes white hack “contests” with massive rewards.

Sony offers money to the people who could give them information about hackers… wait, what the…? (ironically, other results for that query are 100% about Facebook, Google, etc… ‘s bounty programs)

The last result for Sony is just icing on the cake. Initially I was doing the research just to show that Sony didn’t have a bug bounty program while it should. The result was even beyond my “expectations”, not only do they not have a bug bounty program, they actually pay money to chase hackers (in this case, those were some pretty bad guys, but that’s not the point)

I’m just a blogger, but here’s some advice for Sony: most of the psp/vita/ps3 hackers I know are students, and would really think twice about publicly releasing a hack (or contacting me about it) if the alternative was a 500$ reward. I am convinced a bounty program on your gaming consoles could dramatically mitigate hacks such as the ones used for VHBL, for example.

It could also probably help mitigate commercial piracy such as the True Blue dongle on the ps3. The people behind this dongle would never sell their hack for a few hundred dollars (why would they, they are sitting on hundreds of thousands of dollars with their black market), but it is possible that a few independant hackers would dig more seriously into reversing the True Blue dongles if they knew there was a reward…

If you think there are about a dozen exploitable psp games on the psn right now, it would mean that for about 5000$, Sony could get rid of the current “threat” that is vhbl… if I were them I’d consider running a bounty program… unless, like me, they believe VHBL is actually good advertising for their console (and let’s be honest, given its poor sales, the Vita needs every form of promotion it can get)

A Bug bounty program, given the current demographics of PSP/Vita/PS3 hackers, would be in my opinion a very cost-effective way for Sony to mitigate hacking (and to some extent, piracy) on their consoles. It could also probably be extented to their websites and services (especially the PSN). Another indirect benefit would be that trust issues would rise in current Sony hacking communities, making it difficult for hackers to work together.

Thankfully, I’m just a pissed off sony customer, and I know Sony never listens to their angry customers, so I think we’ll still have hacks for a while on our consoles.

  1. Andrew Tavares’s avatar

    Homebrew is just pure awesome, and I can not wait to have it on my Vita. Sony, please continue to let us find ways to run Homebrew on our devices. Thank you for this interesting story Wololo. Much appreciated.

    Reply

    1. Reine’s avatar

      :D ps suite sdk, the another way for homebrew ..

      Reply

      1. Zer01ne’s avatar

        The way for no longer time.

        Reply

  2. Quaeton’s avatar

    Sony do not negotiate with hackers, much like how governments not not negotiate with terrorists. As soon as they let hackers think what they are doing is kind of ok – because they get rewarded from it, So will lose the fight. I think this is the principle behind the lack of bug bounties.

    Reply

    1. wololo’s avatar

      I think this is very different and i really dont like the comparison. Bug bounties contribute to make the system as a whole more secure.

      Reply

      1. Wesley’s avatar

        I think this article should be taken down. Your blog is widely read wololo, and the more people who know Sony would reward them for helping get rid of hackers/exploits, the more reporting there would be = less exploits.

        Reply

    2. UE’s avatar

      Orrrr another way to view it is encouraging a cheap labour force of software testers to make sure we have stable and secure software… It is taking a “destructive” (and I say this with much sarcasm) hobby and interesest and focusing it into productive means.
      Only an idiot would see this as a bad thing.

      Reply

  3. Bart’s avatar

    WHAT IS YOUR NEXT EXPLOIT GAME. HURRY THE FUCK UP

    Reply

    1. wololo’s avatar

      Welcome to the list of people who will be the last ones to know :)

      Reply

      1. QuantumMan’s avatar

        +1 Wololo

        Reply

      2. Ben’s avatar

        lol, so many impatient people haha.

        Reply

      3. yael’s avatar

        wololo wololo appreciate you for all your contributions you have made ​​and you continue doing it for me like I PSVITA dijieras or were raising the game …. please … to load in vhbl

        Reply

      4. be0ut’s avatar

        zinggg!!

        Reply

  4. Eli’s avatar

    Dont worry sony not going to give people money anyway…

    Reply

  5. StepS’s avatar

    Google offers between 100$ and 1337$ for such reports

    Hm, what? :O really 1337? :D I suppose that’s what attracts the newcomers

    Reply

  6. new_guy’s avatar

    what ever happened to Devee’s PSP Kernel access hack? if I were Sony, I would be offering a bounty for that one:)

    Reply

    1. UE’s avatar

      he isn’t releasing it period

      Reply

      1. Wesley’s avatar

        Why isn’t he releasing it? Did we ever get a word about that?

        Reply

  7. ziim’s avatar

    I don’t think all hackers would turn in exploits, reward or not. Look at the apple scene. Apple pays for exploits and has even recruited one on the top hackers, but the jailbreak lives on. It is extremely difficult at this stage in the game, 5 generations of hardware to keep improving and patching, and its still being exploited. People want to OWN their device. I’m tired of being told what to do with what I pay for and I’m not alone. The tighter the package, the bigger the explosion!

    (Remember, remember the 15th of November!)

    Reply

    1. wololo’s avatar

      One big difference I see is that many hackers in the PSP/Vita scene are fairly young, young enough that a reward of a several hundred dollars could matter to them more than it would to Apple hackers. Definitely, it will not entirely stop hacking of their devices (some hackers wuold not go for the bounty, just by ideology, or because they have a better way to monetize the hack for example), but I believe it would help mitigate.

      Reply

      1. dimy93’s avatar

        Yeah wololo you’re defiantly right – the future vita hackers are young people like me that have seen the potential of the homebrew scene on PSP and just want to expand the Vita’s capabilities because is one beatifically designed piece of hardware.

        Reply

  8. zonicdx09’s avatar

    To be honest I don’t know how many people would report an exploit because they want to be able to do what they want with their system BUT I don’t think piracy of vita games will be bad considering their size and the price of memory cards for the thing.

    Reply

    1. dimy93’s avatar

      The point of both piracy and the homebrew scene is the community of people who are willing to contribute to this scene.
      Imagine that u’re able to write a cfw and u do it but not share it publicly. Then what would be the point – yes u’ll be able to create homebrews but how many homebrews can U create on your own- let’s say 5 for a year at most + the cfw itself.That of course would be cool but it’s far from the idea of having the ability of doing whenever U like with your console. The game piracy has even stronger bond with the community thing because the whole point of game piracy is the free share of paid games.
      Hence without sharing publicly your findings u won’t be able to do whenever u like with your console. This leaves people who will find vita exploits in the simple choise- do they want to share publicly their findings or do they want to get some money from sony. I’m quite sure that many people would rather get the money and run especially if Sony plays good their cards with the suite sdk

      Reply

  9. braveheartleo’s avatar

    Sony, Apple, and companies that take the Walled garden approach would rather maintain autocratic control over their technology and private properties in the form of information, manufacturing techniques and processes, etc. Anything that will be divulged or anyone who will be made privy of such secrets must be under legal agreements or be bound with NDAs, or else they risk leaking such secrets and lose the competitive edge.

    Reply

  10. braveheartleo’s avatar

    The company would rather chase after those taking a crack at its properties, fire employees that publicly demonstrate vulnerabilities, even at times keeping such vulnerabilities under wraps and instead rely upon security through obscurity. Such a company typically shoots the messenger, so to speak.

    Bug bounties will not work for companies that view any untoward action on its properties as a crime against it, especially when they are heavily invested on such assets.

    Reply

  11. braveheartleo’s avatar

    The company would rather chase after those taking a crack at its properties, fire employees that publicly demonstrate vulnerabilities, even at times keeping such vulnerabilities under wraps and instead rely upon security through obscurity. Such a company typically shoots the messenger, so to speak.

    Reply

    1. braveheartleo’s avatar

      Sorry for the double post…

      Reply

      1. StepS’s avatar

        quadruple ;)

        Reply

  12. yosh’s avatar

    I bet there are more than a dozen exploitable games on psn actually xD

    Reply

  13. Seaking’s avatar

    Did you delete this post?

    Reply

    1. Seaking’s avatar

      Nevermind. I apologize. It wasn’t showing up on the main page for a minute there.

      Reply

  14. alpmaster007’s avatar

    Have multiple memory cards for your vita then you can use
    One account for like 3 Vitas and never update the firmware
    After downloading the vhbl game. Then Sony can not stop yoj
    With the patch on the firmeare if the game is already downloaded
    On the multiple memory cards. :)

    Reply

  15. Watching The World Burn’s avatar

    Sony Why Not Listen To Wololo (Also wololo when I showed your name to my friends some of them laughed because we were all playing age of empires)

    Reply

  16. Name’s avatar

    Guess what’s the first search result for ‘sony bug bounty’ now?
    HINT : click my name

    Reply

  17. dimy93’s avatar

    wooow chasing hackers – are hackers animals or what ???
    It seems as if Sony’s CEOs have successfully passed the Gestapo’s training program.

    Reply

  18. asmodeus’s avatar

    sony would give 500 $ lol !!!
    i think they’ll actually give’em a 500 $ ps vita games pack to thee !!! lol

    Reply

  19. cris’s avatar

    well lets see the apple example
    they tried to stop jailbreaking,they release updates each time a jailbreaking occurs ,they offer money for exploits,but each time a jailbeaking is there and they just update with no updates in their os.
    the average user thats me wants to tweak ,(the reason i have android) i paid for psp games and i want to play them on vita freely that wont happen . what is fair for big companies is not fair for customers in the end of the day what matters is the respect of the company to the user.
    that is my opinion and black and white positions are welcome

    Reply

  20. Shinny’s avatar

    Well it reminds me about Virus VS Antivirus… Some people sell viruses so that other people can sell their Antivirus… The concept is pretty much the same, but instead of making viruses/exploits, people try to find them out, so that Sony could patch them, for a much lower prize (good economical move), cause when a hack appears people start to pirate games witch means Sony is loosing money… And that also reminded about Google paying money for the once who can hack Google Chrome…

    Reply

  21. E-Kami’s avatar

    I totally agree with what wololo said. Now we have the Playstation suite sdk so hacking the PS vita (I mean accessing the kernel) would be stupid, the only reasons which could lead hackers to make exploits is:
    1 – Accessing the PS vita kernel to use all its syscalls, interrupt…
    2 – Not making the code in C#… and using native language either
    3 – Using the PS vita at its full power
    4 – Release and iso loader… which I hope, is not hackers priority…
    As many of us are independant developpers or small teams, we do not need to use the full power of the vita, also, C# is not a bad language (even if I don’t like it). So yes, for the few hackers who want to hack the PS vita, a bounty program would be very very helpful for both, sony and hackers.

    Reply

    1. Shaun’s avatar

      Don’t forget that Sony would need to approve each application that goes on PSN so not all homebrew such as emulators would be approved. Same reason iOS needs exploiting.

      Reply

      1. dimy93’s avatar

        yes and we still need to pay 99$ to distribute our creations but nevertheless a big step forward for sony

        Reply

  22. Mastershake01’s avatar

    Thank you wololo for spreading your knowledge with us all and working on vhbl for us im 14 im home all day i mod and repair ps3s and other game consoles and right now im working on arbitrary and C++ trying to learn how to create im transitioning from editor to creator and for the people that are talking mess need to stop if you knew how hard some of this stuff is you would see so wololo i joined the other day when the hello world was up dont bag on me my brother is a employe with Sony and he sais he loves your work so not all sony employes are rats he told me the people that are watching you forum are getting paid over time lol so dont bag on him and he doent rat

    Reply

  23. tonyuk73’s avatar

    I really dont understand why $ony have such a problem with hacks leading to running homebrew on ‘my’ vita.its what i bought it for.And with the help of wololo and all the other devs that put there time into making programs such as vbhl i know i will soon once again in the future(fingers and toes crossed) be able to play super mario through a emulator on a ps vita .And to the backstaber hackers @shame@

    Reply

  24. DigiTak’s avatar

    No no no nononononono stop trying to give sony ideas ._.

    Reply

  25. gQx’s avatar

    wololo you can earn lots of money with this bounty thing. Do you want to Sony pay you is this article about that? :)) As you said earlier Sony takes advantage of whole hacking even rumors of it. as long as sony prevents %100 piracy they will find a way to turn the situation to their advantage.

    Reply

  26. Norml’s avatar

    Sony is pretty choatic about how they handle the situation, they really need to get with the program and find that medium. Make money and work with the consumer.

    Reply

  27. dfg’s avatar

    1.67 vhbl game dragoneer’s aria

    Reply

  28. dfg’s avatar

    1.67 vhbl game dragoneer’s aria $9.99

    Reply

    1. godzirra’s avatar

      FYI, he’s lying.

      Reply

  29. asdfjuma’s avatar

    So you’re finally getting out of the biz Wololo? With these last few article I wouldn’t be surprised if you’re the pioneer of Sony’s new bounty program. :P

    Reply

    1. wololo’s avatar

      You know, if they had one, I would consider it. Of course, I wouldn’t reveal other people’s exploits. But the stuff I find on my own, why not.

      Reply

  30. ferx’s avatar

    what about the name of the game wen is going to be reales

    Reply

    1. z3r01’s avatar

      It gets released when it gets released…patience…an no its not dragoneers aria people…

      Reply

  31. gQx’s avatar

    Are you giving up wololo? Don’t join the Dark Side.

    Reply

  32. No1’s avatar

    Sorry, i dont quite understand this. You’re pissed off a Sony, but want them to remove all possible ways (or at least as many as possible) of hacking their systems? Sony already does this, so what exactly are you pissed at?

    Reply

    1. wololo’s avatar

      I am not pissed off, i am just pointing fingers at another thing that sony could do much more efficiently.

      Reply

      1. Yes’s avatar

        I think he is referring to your last sentence where you say:

        “Thankfully, I’m just a pissed off sony customer, and I know Sony never listens to their angry customers”

        :)

        Reply

        1. No1’s avatar

          Yep, the last sentence is what i was referring to indeed :)

          Reply

      2. No1’s avatar

        Fair enough. I was just that i saw that you write in the last sentence that you were a pissed off consumer, so i had to ask.

        Reply

  33. No1’s avatar

    I forgot to add, i dont see why it is “what the…?” for offering bounty to lead to arrest of the PSN hackers. When someone hacks into your system and apparently try to steal data from you, dont you want them to get punished?

    The article you’re referring to there is only about the guys who did the PSN hack, it is not about normal system/console hackers.

    Reply

    1. Yes’s avatar

      I think it’s worth noticing that it only says they’re concidering it. Does anyone know if Sony did ever offer a reward for tips to catch the PSN hackers? If so, what was the reward?

      Reply

      1. No1’s avatar

        I’m wondering about this too. It only says “concidering”, not that they actually did it.

        Reply

        1. No1’s avatar

          But even if they did do it, i see nothing wrong with trying to find out who did the PSN hack. The article only mention these PSN hackers, so i think that this has much to say for the whole situation.

          Reply

          1. Mycael’s avatar

            Heck,
            Sony was cutting staff back then;
            Lol, them hackers could even be the IT people
            Sony fired a week before the hack-incident.

            Lol, if there’s anyone who’d know
            the vulnerabilities, it’d probli be them :))

  34. Axqe’s avatar

    why not a market with free apps trial ones etc. android market style would b great

    Reply

  35. BlackFire’s avatar

    Damn commies.

    Reply

  36. 10$man’s avatar

    This is very interesting.
    I certainly don’t want this to happen though.
    To be honest, I would prefer being able to run my own homebrew games to having a few hundred extra dollars in my pocket (it is intriguing though).
    What would make Sony the perfect Company is if the could completely block out Piracy and also make a SDK kit released freely to PSP/PSV/PS3 owners.
    I think that possibly having two memory units on the psp, one for homebrew and one for Official Sony games, could be the solution. There would be a master drive that the system boots off of then almost like 2 memory cards you could goto Official games or Custom games.

    I guess Sony is just worried about the couple of bucks they might lose right away instead of Loyal and lasting customers.

    Owner of two PS3s and 4 PSPs. I love Sony products but I can’t stand there policies.

    Reply

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>