Rockstar Games
External Program
Submit bugs directly to this organization
Rockstar Games
External Program
Submit bugs directly to this organization
We are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.
Our minimum bounty for successful vulnerability submissions is $150. Please refer to the table below for bounty ranges based on report severity.
###Bounty Table: All bounties will ultimately be paid out at our discretion based on severity, likelihood, and impact.
| Severity | Examples | Typical Bounty Range |
|---|---|---|
| Informational | Text injection, non-impactful CSRF, non-sensitive Information Disclosure, Brute Force, Employee credential exposure* | $0 |
| Low | Open Redirects, CSRF, XSS with low impact, domain takeover of unused domain, Rockstar account privacy issues (highly variable) | $150-$500 |
| Medium | Reflected/DOM-based XSS, cache poisoning, SSRF | $500-$1,000 |
| High | Stored XSS, local privilege escalation, full authentication bypass | $1,000-$2,000 |
| Critical | SQL injection with data exfiltration, remote code execution | $2,500-$25,000+** |
| *:Reports of employee credentials found online will be closed as "Informative", but we may award bonuses for source disclosures on a case-by-case basis | ||
| **: Bounty will vary widely based on severity, likelihood, and impact. |
The current scope is limited to the domains and applications listed below. No authorization is given to test any other video game titles, web applications, mobile applications, or desktop applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program. For more information about testing video game titles and other particular applications, please see our statement below regarding our private program.
For your submission to qualify for a bounty, you must:
When submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty.
The following attributes are expected in a valid submission:
Submitting multiple reports pointing out the exact same vulnerability across multiple hosts will be treated as Duplicates of the first report submitted. However, we may award bonuses at our discretion if you assist us by pointing out every instance of a vulnerability (Example scenario: Submitting 3 separate reports regarding a vulnerability to CVE-2099-12345 on vulnhost1.rockstargames.com, vulnhost2.rockstargames.com, and vulnhost3.rockstargames.com)
Bugs that are outside the scope or guidelines detailed here are not eligible for this program.
The privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.
The following attributes would invalidate any submitted vulnerabilities:
The following sorts of technical issues are also excluded:
• Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options • SSL/TLS configuration issues, such as: Perfect Forward Secrecy not supported, TLSv1.0 / 1.1 • Strict transport security (HSTP/HSTS) is not enforced • Lack of HTTPOnly or secure flag on non-session cookies • CSRF token verification missing from pages (unless you can do something impactful with the request) • Autocomplete enabled • Banner disclosures • Session timeout/expiration issues • Window.opener issues • Clickjacking • Invalid or stale employee credential dumps - we already monitor haveibeenpwned.com and other sources for dumps of this nature • Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result) • Text / content injection • Email spoofing directly or as it ties to any of our contact forms • Rate-limiting, brute-forcing, and/or credential stuffing on endpoints • User credentials found in online repositories or other publicly accessible dumps • Generic error messages • Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information) • Attacks that only work against yourself (e.g. host header injection, self-XSS, control-character injection) • Account-age issues on support.rockstargames.com • Issues regarding user-driven configurations of third-party authentication systems (e.g. 2FA not applying to such logins despite our notice here) • Recently released zero day vulnerabilities. Please give us time to patch.
Finally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. Recommendations for new controls or technologies are welcome, but they will be marked as Ineligible For Bounty unless they are accompanied by a valid exploit. Thank you!
In order to help ensure the best quality experience for our players, we are working with the HackerOne community of security researchers to help us identify potential vulnerabilities in our games and non-web applications that have previously been out-of-scope. We will be accepting such reports through our private bounty program only; not on the public program you are currently visiting.
Before participating, please take careful note of the following rules. If your research does not follow these rules we cannot verify your report and your work will not be eligible for payment:
The privacy, security and experience of our users are of the utmost importance. Under no circumstances may any of your testing negatively affect our users in any way
The scope of the in-game bounty is currently limited to:
In addition to the in-game bounty, we are still accepting reports for the targeted Incorrect Ban Bounty campaign, described in more detail further below.
In order to participate in either the in-game bounty or in the Targeted Bounty: GTA Online and Red Dead Online - Incorrect Ban Bounty campaign, please submit our enrollment form and await an invitation to our private bounty program. We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.
We occasionally receive support tickets from people who have been suspended for cheating in Grand Theft Auto Online or Red Dead Online, denying that any cheating took place and claiming a “false-positive”. We take these claims seriously and investigate them thoroughly. However, we have yet to find any evidence to support these claims.
We are offering a $10,000 bounty for any researcher who can successfully identify a reproducible incorrect ban in GTA Online or Red Dead Online. The types of activities that people have claimed (but we do not believe) to have caused bans include: using legitimate visual overlays (e.g. FPS) or audio chat integrations, other players spamming the in-game reporting system and having cash/rank forced on them by modders, but please do not limit yourselves to investigating these methods.
Our focus is on continuing to ensure that our anti-cheat system does not ban anyone who is playing the game normally and consistently with our terms of service. Any reports that are inconsistent with the spirit of what we are focused on will be ineligible for a bounty and closed. Furthermore, no complaints or commentary about existing bans will be reviewed. Note that bans incurred as a result of violating our terms of service will not be reversed. However, if anybody were to successfully illustrate a reproducible inappropriate ban, any banned test accounts would of course be restored.
As stated above, in order to participate please submit our enrollment form and await an invitation to our private bounty program. We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.