Sony have publicly opened their bug bounty program on popular bug bounty platform HackerOne.
The console Manufacturer are joining a growing list of companies that pay security researchers for information on vulnerabilities in their products, in this case, the PSN and the PS4.
Bounties range from $100 for minor reports, to $50’000 for critical vulnerabilities reported on the PS4.
The program has already been running for a few months privately with a handful of security researchers on the HackerOne platform. At a quick glance, we can see that Sony have paid bounties in particular to famous PS scene hackers TheFlow ($10’000 for one vulnerability) and Oct0xor ($75’000 for a total of 6 vulnerabilities) over the past few months. In total, Sony have already worked on 88 reported vulnerabilities through this program, and paid more than $170’000 in bounties.
The bounty program is now open to everyone who wishes to submit vulnerabilities, and to me there’s no question that we will see the numbers of reports grow in the weeks to come.
It is pretty obvious, that when facing the choice of releasing exploits for free to the scene, or disclosing them for a generous amount to Sony, multiple talented hackers will now choose to go with the latter. I personally do not see a problem with that, in particular given how ungrateful the scene can sometimes be to the work of these folks, but the question then becomes whether or not these people can be trusted with “scene” information, when it is known that they are collaborating directly with Sony. There’s definitely some conflict of interest there, that will most certainly reduce knowledge sharing between scene hackers, which also plays to the benefit of Sony.
I have obviously mixed feelings about this. For years I have said that if Sony really wanted to fix their security issues they should join a bounty platform. I think this is a move in the right direction for them, and for most of their customers. Of course, for the hacking scene, this is definitely a kick in the stomach, as I predict a lot of gifted hackers will consider this as their first option to disclose hacks that would have otherwise been used for jailbreaks.
PS4 hack bounty program: A Silver Lining
There’s a silver lining however, and that is that the bounty explicitly allows disclosure under some conditions:
Give us reasonable time to remediate vulnerabilities before talking about them publicly and notify us of your disclosure plans in advance. If you would like to disclose a resolved vulnerability, make the request directly in your report. We look forward to disclosing issues that positively contribute to the security community.
It is therefore possible that hackers who have applied for a bounty from Sony, would still be able to reveal their exploits publicly, allowing, possibly, people who have stayed on lower firmwares, to still jailbreak their PS4.