Rockstar Games partnered with a Cybersecurity program called HackerOne in 2017 to tackle any security and hacking issues for Grand Theft Auto Online. This partnership has now been widened to include Red Dead Redemption 2 for Xbox One, PC, and PS4 and their respective mobile companion apps.
Rockstar will pay out a minimum of $150 for any successful submissions. It is worth noting that minor in-game bugs, cheaters, modders, etc are not eligible for this system. The system is strictly limited to in-game security issues or security issues that could expose user data.
Rockstar also claims that to date, they are yet to find any evidence that they have banned anyone incorrectly in Grand Theft Auto Online after 6 years. The company further states that everyone who has been banned and has appealed against it has lost due to evidence showing that they cheated in some way. Rockstar Games is now offering $10,000 for any researcher who can successfully identify an incorrect ban. Rockstar is conducting this in an effort to improve their anti-cheat systems.
You can read the full statement below (Source)
Statement
We are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.
Rewards
Our minimum bounty for successful vulnerability submissions is $150. Depending on the severity and complexity of the identified potential vulnerability, higher bounties may be paid out at our discretion.
Scope
The current scope is limited to the domains and applications listed below. No authorization is given to test any other video game titles, web applications, mobile applications, or desktop applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program. For more information about testing video game titles and other particular applications, please see our statement below regarding our private program.
Responsible Disclosure and Guidelines
For your submission to qualify for a bounty, you must:
- Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program
- Be the first to submit this particular vulnerability
- Not disclose or discuss the vulnerability outside of this program before or after submitting it
Eligibility
When submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty.
The following attributes are expected in a valid submission:
- The type of issue being reported. What kind of attack, does it fit a CWE number, etc.
- Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it
- What is the potential impact of the bug?
- How could a malicious user potentially benefit from this issue?
- For reports on the domain ‘support.rockstargames.com’, if you must make test posts in the forums, you must include “test” in the title. Failure to do so may result in your tests being deleted and your report marked “Ineligible for Bounty”
Exclusions
Bugs that are outside the scope or guidelines detailed here are not eligible for this program.
The privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.
The following attributes would invalidate any submitted vulnerabilities:
- Attacks involving physical access to a user’s device, Rockstar property or data centers
- Social engineering of users, Rockstar staff or contractors
- Denial-of-service attacks
- Bugs in 3rd party authentications (attacks specifically against our implementation are fine)
- Results from automated tools without any manual confirmation
- Bugs affecting 3rd party sites that consume data from Social Club
- Any similar action that interferes with a user’s privacy, security or experience
Additionally, the following sorts of technical issues are also excluded:
- Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options
- SSL/TLS configuration issues, such as: Perfect Forward Secrecy not supported, TLSv1.0 / 1.1
- Strict transport security (HSTP/HSTS) is not enforced
- Lack of HTTPOnly or secure flag on non-session cookies
- CSRF token verification missing from pages (unless you can do something impactful with the request)
- Autocomplete enabled
- Banner disclosures
- Session timeout
- Window.opener issues
- Clickjacking
- Nickname/gamertag enumeration
- Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)
- SSO /auth/Home/SetCookie?token query string information disclosure (Unless you can demonstrate a compelling way to exploit this to hijack a user’s account or bypass authentication)
- Text / content injection
- Email spoofing directly or as it ties to any of our contact forms
- Insecure crossdomain.xml policy on rockstargames.com
- DNSSEC configuration
- Ability to add hyperlinks to player feed, friend requests, etc.
- Rate-limiting on endpoints
- Password stuffing attacks, in general
- Generic error messages
- Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)
- Control-character injection (unless you can do something impactful against users other than yourself)
- Attacks that only work against yourself (e.g. host header injection, self-XSS)
- Account-age issues on support.rockstargames.com
- Recently released zero day vulnerabilities. Please give us time to patch.
Finally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. Recommendations for new controls or technologies are welcome, but they will be marked as Ineligible For Bounty unless they are accompanied by a valid exploit. Thank you!
New Opportunity: Private In-Game Bug Bounty Program
In order to help ensure the best quality experience for our players, we are working with the HackerOne community of security researchers to help us identify potential vulnerabilities in our games and non-web applications that have previously been out-of-scope. We will be accepting such reports through our private bounty program only; not on the public program you are currently visiting.
Before participating, please take careful note of the following rules. If your research does not follow these rules we cannot verify your report and your work will not be eligible for payment:
The privacy, security and experience of our users are of the utmost importance. Under no circumstances may any of your testing negatively affect our users in any way
- Bans received while testing for issues will not be reversed
- You may only use your own account(s) for testing
- Reports with no security impact will be closed
- Please do not report the following types of issues through this program:
- General game bugs
- Glitches (e.g. car duplication, wall hacks, etc.). If your issue can only be performed solely on a controller, it’s probably a glitch
- Specific cheaters, mods, or mod developers, nor does this program apply to links to cheating forums, discords, social media handles, or any other references to known cheat / modding resources
The scope of the in-game bounty is currently limited to:
- Grand Theft Auto V and Grand Theft Auto Online on the following platforms:
- PS4
- Xbox One
- PC
- Red Dead Redemption 2 and Red Dead Online on the following platforms:
- PS4
- Xbox One
- PC
- Red Dead Redemption 2 Companion App
- iFruit Mobile App
In addition to the in-game bounty, we are still accepting reports for the targeted Incorrect Ban Bounty campaign, described in more detail further below.
In order to participate in either the in-game bounty or in the Targeted Bounty: Grand Theft Auto Online – Incorrect Ban Bounty campaign, please submit our enrollment form and await an invitation to our private bounty program. We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.
Targeted Opportunity: Grand Theft Auto Online – Incorrect Ban Bounty
We occasionally receive support tickets from people who have been suspended for cheating in Grand Theft Auto Online, denying that any cheating took place and claiming a “false-positive”. We take these claims seriously and investigate them thoroughly. However, we have yet to find any evidence to support these claims.
We are offering a $10,000 bounty for any researcher who can successfully identify a reproducible incorrect ban in Grand Theft Auto Online. The types of activities that people have claimed (but we do not believe) to have caused bans include: using legitimate visual overlays (e.g. FPS) or audio chat integrations, other players spamming the in-game reporting system and having cash/rank forced on them by modders, but please do not limit yourselves to investigating these methods.
Our focus is on continuing to ensure that our anti-cheat system does not ban anyone who is playing the game normally and consistently with our terms of service. Any reports that are inconsistent with the spirit of what we are focused on will be ineligible for a bounty and closed. Furthermore, no complaints or commentary about existing bans will be reviewed. Note that bans incurred as a result of violating our terms of service will not be reversed. However, if anybody were to successfully illustrate a reproducible inappropriate ban, any banned test accounts would of course be restored.
As stated above, in order to participate please submit our enrollment form and await an invitation to our private bounty program. We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.
