[{"id":3758000,"new_policy":"## Statement\n\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n# Rewards\n\nOur minimum bounty for successful vulnerability submissions is $150. Please refer to the table below for bounty ranges based on report severity. \n\n###Bounty Table:\nAll bounties will ultimately be paid out at our discretion based on severity, likelihood, and impact.\n\n|Severity |Examples |Typical Bounty Range|\n--- | --- | --- \n|Informational|Text injection, non-impactful CSRF, non-sensitive Information Disclosure, Brute Force, Employee credential exposure*| $0|\n|Low|Open Redirects, CSRF, XSS with low impact, domain takeover of unused domain, Rockstar account privacy issues (highly variable)| $150-$500|\n|Medium|Reflected/DOM-based XSS, cache poisoning, SSRF| $500-$1,000|\n|High|Stored XSS, local privilege escalation, full authentication bypass| $1,000-$2,000|\n|Critical|SQL injection with data exfiltration, remote code execution|$2,500-$25,000+**|\n*:Reports of employee credentials found online will be closed as \"Informative\", but we may award bonuses for source disclosures on a case-by-case basis\n**: Bounty will vary widely based on severity, likelihood, and impact.\n\n\n## Scope\n\nThe current scope is limited to the domains and applications listed below. No authorization is given to test any other video game titles, web applications, mobile applications, or desktop applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program. For more information about testing video game titles and other particular applications, please see our statement below regarding our private program.\n\n## Responsible Disclosure and Guidelines\n\nFor your submission to qualify for a bounty, you must:\n\n- Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by HackerOne, and the Legal agreements you accepted before being admitted to this bounty program\n- Be the first to submit this particular vulnerability\n- Not disclose or discuss the vulnerability outside of this program before or after submitting it\n\n## Eligibility\n\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty. \n\nThe following attributes are expected in a valid submission:\n\n- The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n- Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it\n- What is the potential impact of the bug?\n- How could a malicious user potentially benefit from this issue?\n- For reports on the domain 'support.rockstargames.com', if you must make test posts in the forums, you must include \"test\" in the title. Failure to do so may result in your tests being deleted and your report marked \"Ineligible for Bounty\"\n\nSubmitting multiple reports pointing out the exact same vulnerability across multiple hosts will be treated as Duplicates of the first report submitted. However, we may award bonuses at our discretion if you assist us by pointing out every instance of a vulnerability (Example scenario: Submitting 3 separate reports regarding a vulnerability to CVE-2099-12345 on vulnhost1.rockstargames.com, vulnhost2.rockstargames.com, and vulnhost3.rockstargames.com)\n\n## Exclusions\n\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n\n- Attacks involving physical access to a user's device, Rockstar property or data centers\n- Social engineering of users, Rockstar staff or contractors\n- Denial-of-service attacks\n- Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n- Results from automated tools without any manual confirmation\n- Bugs affecting 3rd party sites that consume data from our sites or services\n- Any similar action that interferes with a user's privacy, security or experience\n\nThe following sorts of technical issues are also excluded:\n\n• Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n• SSL/TLS configuration issues, such as: Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n• Strict transport security (HSTP/HSTS) is not enforced\n• Lack of HTTPOnly or secure flag on non-session cookies\n• CSRF token verification missing from pages (unless you can do something impactful with the request)\n• Autocomplete enabled\n• Banner disclosures\n• Session timeout/expiration issues\n• Window.opener issues\n• Clickjacking\n• Invalid or stale employee credential dumps - we already monitor haveibeenpwned.com and other sources for dumps of this nature\n• Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n• Text / content injection\n• Email spoofing directly or as it ties to any of our contact forms\n• Rate-limiting, brute-forcing, and/or credential stuffing on endpoints\n• User credentials found in online repositories or other publicly accessible dumps\n• Generic error messages\n• Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)\n• Attacks that only work against yourself (e.g. host header injection, self-XSS, control-character injection)\n• Account-age issues on support.rockstargames.com\n• Issues regarding user-driven configurations of third-party authentication systems (e.g. 2FA not applying to such logins despite our notice here)\n• Recently released zero day vulnerabilities. Please give us time to patch.\n\nFinally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. **Recommendations for new controls or technologies are welcome, but they will be marked as Ineligible For Bounty unless they are accompanied by a valid exploit.** Thank you!\n\n***\n## Additional Opportunity: Private In-Game Bug Bounty Program\n\nIn order to help ensure the best quality experience for our players, we are working with the HackerOne community of security researchers to help us identify potential vulnerabilities in our games and non-web applications that have previously been out-of-scope. We will be accepting such reports through our private bounty program only; not on the public program you are currently visiting. \n\nBefore participating, please take careful note of the following rules. If your research does not follow these rules we cannot verify your report and your work will not be eligible for payment:\n\nThe privacy, security and experience of our users are of the utmost importance. **Under no circumstances may any of your testing negatively affect our users in any way**\n\n- Bans received while testing for issues will not be reversed\n- You may only use your own account(s) for testing\n- Reports with no security impact will be closed\n- Please do not report the following types of issues through this program:\n  - General game bugs\n  - Glitches (e.g. car duplication, wall hacks, etc.). If your issue can only be performed solely on a controller, it's probably a glitch\n  - Specific cheaters, mods, or mod developers, nor does this program apply to links to cheating forums, discords, social media handles, or any other references to known cheat / modding resources \n\nThe scope of the in-game bounty is currently limited to:\n\n- Grand Theft Auto V and Grand Theft Auto Online on the following platforms:\n  - PS4 / PS5\n  - Xbox One / Xbox Series X \u0026 S\n  - PC\n- Red Dead Redemption 2 and Red Dead Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 Companion App\n\nIn addition to the in-game bounty, we are still accepting reports for the targeted Incorrect Ban Bounty campaign, described in more detail further below.\n\nIn order to participate in either the in-game bounty or in the Targeted Bounty: GTA Online and Red Dead Online - Incorrect Ban Bounty campaign, please submit our [enrollment form](https://forms.office.com/r/7737UKLECX) and await an invitation to our private bounty program. **We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.**\n\n---------------\nTargeted Opportunity: GTA Online and Red Dead Online - Incorrect Ban Bounty\n---------------\nWe occasionally receive support tickets from people who have been suspended for cheating in Grand Theft Auto Online or Red Dead Online, denying that any cheating took place and claiming a “false-positive”. We take these claims seriously and investigate them thoroughly. However, we have yet to find any evidence to support these claims.\n\nWe are offering a **$10,000 bounty** for any researcher who can successfully identify a reproducible incorrect ban in GTA Online or Red Dead Online. The types of activities that people have claimed (but we do not believe) to have caused bans include: using legitimate visual overlays (e.g. FPS) or audio chat integrations, other players spamming the in-game reporting system and having cash/rank forced on them by modders, but please do not limit yourselves to investigating these methods.\n\nOur focus is on continuing to ensure that our anti-cheat system does not ban anyone who is playing the game normally and consistently with our terms of service. Any reports that are inconsistent with the spirit of what we are focused on will be ineligible for a bounty and closed. Furthermore, no complaints or commentary about existing bans will be reviewed. Note that bans incurred as a result of violating our terms of service will not be reversed. However, if anybody were to successfully illustrate a reproducible inappropriate ban, any banned test accounts would of course be restored.\n\nAs stated above, in order to participate please submit our enrollment form and await an invitation to our private bounty program. We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-06-24T13:43:03.109Z"},{"id":3757999,"new_policy":"## Statement\n\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n# Rewards\n\nOur minimum bounty for successful vulnerability submissions is $150. Please refer to the table below for bounty ranges based on report severity. All bounties will ultimately be paid out at our discretion based on severity, likelihood, and impact.\n\n###Bounty Table:\n|Severity |Examples |Typical Bounty Range|\n--- | --- | --- \n|Informational|Text injection, non-impactful CSRF, non-sensitive Information Disclosure, Brute Force, Employee credential exposure*| $0|\n|Low|Open Redirects, CSRF, XSS with low impact, domain takeover of unused domain, Rockstar account privacy issues (highly variable)| $150-$500|\n|Medium|Reflected/DOM-based XSS, cache poisoning, SSRF| $500-$1,000|\n|High|Stored XSS, local privilege escalation, full authentication bypass| $1,000-$2,000|\n|Critical|SQL injection with data exfiltration, remote code execution|$2,500-$25,000+**|\n*:Reports of employee credentials found online will be closed as \"Informative\", but we may award bonuses for source disclosures on a case-by-case basis\n**: Bounty will vary widely based on severity, likelihood, and impact.\n\n\n## Scope\n\nThe current scope is limited to the domains and applications listed below. No authorization is given to test any other video game titles, web applications, mobile applications, or desktop applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program. For more information about testing video game titles and other particular applications, please see our statement below regarding our private program.\n\n## Responsible Disclosure and Guidelines\n\nFor your submission to qualify for a bounty, you must:\n\n- Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by HackerOne, and the Legal agreements you accepted before being admitted to this bounty program\n- Be the first to submit this particular vulnerability\n- Not disclose or discuss the vulnerability outside of this program before or after submitting it\n\n## Eligibility\n\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty. \n\nThe following attributes are expected in a valid submission:\n\n- The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n- Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it\n- What is the potential impact of the bug?\n- How could a malicious user potentially benefit from this issue?\n- For reports on the domain 'support.rockstargames.com', if you must make test posts in the forums, you must include \"test\" in the title. Failure to do so may result in your tests being deleted and your report marked \"Ineligible for Bounty\"\n\nSubmitting multiple reports pointing out the exact same vulnerability across multiple hosts will be treated as Duplicates of the first report submitted. However, we may award bonuses at our discretion if you assist us by pointing out every instance of a vulnerability (Example scenario: Submitting 3 separate reports regarding a vulnerability to CVE-2099-12345 on vulnhost1.rockstargames.com, vulnhost2.rockstargames.com, and vulnhost3.rockstargames.com)\n\n## Exclusions\n\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n\n- Attacks involving physical access to a user's device, Rockstar property or data centers\n- Social engineering of users, Rockstar staff or contractors\n- Denial-of-service attacks\n- Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n- Results from automated tools without any manual confirmation\n- Bugs affecting 3rd party sites that consume data from our sites or services\n- Any similar action that interferes with a user's privacy, security or experience\n\nThe following sorts of technical issues are also excluded:\n\n• Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n• SSL/TLS configuration issues, such as: Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n• Strict transport security (HSTP/HSTS) is not enforced\n• Lack of HTTPOnly or secure flag on non-session cookies\n• CSRF token verification missing from pages (unless you can do something impactful with the request)\n• Autocomplete enabled\n• Banner disclosures\n• Session timeout/expiration issues\n• Window.opener issues\n• Clickjacking\n• Invalid or stale employee credential dumps - we already monitor haveibeenpwned.com and other sources for dumps of this nature\n• Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n• Text / content injection\n• Email spoofing directly or as it ties to any of our contact forms\n• Rate-limiting, brute-forcing, and/or credential stuffing on endpoints\n• User credentials found in online repositories or other publicly accessible dumps\n• Generic error messages\n• Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)\n• Attacks that only work against yourself (e.g. host header injection, self-XSS, control-character injection)\n• Account-age issues on support.rockstargames.com\n• Issues regarding user-driven configurations of third-party authentication systems (e.g. 2FA not applying to such logins despite our notice here)\n• Recently released zero day vulnerabilities. Please give us time to patch.\n\nFinally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. **Recommendations for new controls or technologies are welcome, but they will be marked as Ineligible For Bounty unless they are accompanied by a valid exploit.** Thank you!\n\n***\n## Additional Opportunity: Private In-Game Bug Bounty Program\n\nIn order to help ensure the best quality experience for our players, we are working with the HackerOne community of security researchers to help us identify potential vulnerabilities in our games and non-web applications that have previously been out-of-scope. We will be accepting such reports through our private bounty program only; not on the public program you are currently visiting. \n\nBefore participating, please take careful note of the following rules. If your research does not follow these rules we cannot verify your report and your work will not be eligible for payment:\n\nThe privacy, security and experience of our users are of the utmost importance. **Under no circumstances may any of your testing negatively affect our users in any way**\n\n- Bans received while testing for issues will not be reversed\n- You may only use your own account(s) for testing\n- Reports with no security impact will be closed\n- Please do not report the following types of issues through this program:\n  - General game bugs\n  - Glitches (e.g. car duplication, wall hacks, etc.). If your issue can only be performed solely on a controller, it's probably a glitch\n  - Specific cheaters, mods, or mod developers, nor does this program apply to links to cheating forums, discords, social media handles, or any other references to known cheat / modding resources \n\nThe scope of the in-game bounty is currently limited to:\n\n- Grand Theft Auto V and Grand Theft Auto Online on the following platforms:\n  - PS4 / PS5\n  - Xbox One / Xbox Series X \u0026 S\n  - PC\n- Red Dead Redemption 2 and Red Dead Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 Companion App\n\nIn addition to the in-game bounty, we are still accepting reports for the targeted Incorrect Ban Bounty campaign, described in more detail further below.\n\nIn order to participate in either the in-game bounty or in the Targeted Bounty: GTA Online and Red Dead Online - Incorrect Ban Bounty campaign, please submit our [enrollment form](https://forms.office.com/r/7737UKLECX) and await an invitation to our private bounty program. **We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.**\n\n---------------\nTargeted Opportunity: GTA Online and Red Dead Online - Incorrect Ban Bounty\n---------------\nWe occasionally receive support tickets from people who have been suspended for cheating in Grand Theft Auto Online or Red Dead Online, denying that any cheating took place and claiming a “false-positive”. We take these claims seriously and investigate them thoroughly. However, we have yet to find any evidence to support these claims.\n\nWe are offering a **$10,000 bounty** for any researcher who can successfully identify a reproducible incorrect ban in GTA Online or Red Dead Online. The types of activities that people have claimed (but we do not believe) to have caused bans include: using legitimate visual overlays (e.g. FPS) or audio chat integrations, other players spamming the in-game reporting system and having cash/rank forced on them by modders, but please do not limit yourselves to investigating these methods.\n\nOur focus is on continuing to ensure that our anti-cheat system does not ban anyone who is playing the game normally and consistently with our terms of service. Any reports that are inconsistent with the spirit of what we are focused on will be ineligible for a bounty and closed. Furthermore, no complaints or commentary about existing bans will be reviewed. Note that bans incurred as a result of violating our terms of service will not be reversed. However, if anybody were to successfully illustrate a reproducible inappropriate ban, any banned test accounts would of course be restored.\n\nAs stated above, in order to participate please submit our enrollment form and await an invitation to our private bounty program. We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-06-24T13:36:00.058Z"},{"id":3750474,"new_policy":"## Statement\n\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n# Rewards\n\nOur minimum bounty for successful vulnerability submissions is $150. Please refer to the table below for bounty ranges based on report severity. All bounties will ultimately be paid out at our discretion based on severity, likelihood, and impact.\n\n###Bounty Table:\n|Severity |Examples |Typical Bounty Range|\n--- | --- | --- \n|Informational|Text injection, non-impactful CSRF, non-sensitive Information Disclosure, Brute Force, Employee credential exposure*| $0|\n|Low|Open Redirects, CSRF, XSS with low impact, domain takeover of unused domain, Rockstar account privacy issues (highly variable)| $150-$500|\n|Medium|Reflected/DOM-based XSS, cache poisoning, SSRF| $500-$1,000|\n|High|Stored XSS, local privilege escalation, full authentication bypass| $1,000-$2,000|\n|Critical|SQL injection, remote code execution|$2,500-$25,000+**|\n*:Reports of employee credentials found online will be closed as \"Informative\", but we may award bonuses for source disclosures on a case-by-case basis\n**: Bounty will vary widely based on severity, likelihood, and impact.\n\n\n## Scope\n\nThe current scope is limited to the domains and applications listed below. No authorization is given to test any other video game titles, web applications, mobile applications, or desktop applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program. For more information about testing video game titles and other particular applications, please see our statement below regarding our private program.\n\n## Responsible Disclosure and Guidelines\n\nFor your submission to qualify for a bounty, you must:\n\n- Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by HackerOne, and the Legal agreements you accepted before being admitted to this bounty program\n- Be the first to submit this particular vulnerability\n- Not disclose or discuss the vulnerability outside of this program before or after submitting it\n\n## Eligibility\n\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty. \n\nThe following attributes are expected in a valid submission:\n\n- The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n- Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it\n- What is the potential impact of the bug?\n- How could a malicious user potentially benefit from this issue?\n- For reports on the domain 'support.rockstargames.com', if you must make test posts in the forums, you must include \"test\" in the title. Failure to do so may result in your tests being deleted and your report marked \"Ineligible for Bounty\"\n\nSubmitting multiple reports pointing out the exact same vulnerability across multiple hosts will be treated as Duplicates of the first report submitted. However, we may award bonuses at our discretion if you assist us by pointing out every instance of a vulnerability (Example scenario: Submitting 3 separate reports regarding a vulnerability to CVE-2099-12345 on vulnhost1.rockstargames.com, vulnhost2.rockstargames.com, and vulnhost3.rockstargames.com)\n\n## Exclusions\n\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n\n- Attacks involving physical access to a user's device, Rockstar property or data centers\n- Social engineering of users, Rockstar staff or contractors\n- Denial-of-service attacks\n- Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n- Results from automated tools without any manual confirmation\n- Bugs affecting 3rd party sites that consume data from our sites or services\n- Any similar action that interferes with a user's privacy, security or experience\n\nThe following sorts of technical issues are also excluded:\n\n• Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n• SSL/TLS configuration issues, such as: Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n• Strict transport security (HSTP/HSTS) is not enforced\n• Lack of HTTPOnly or secure flag on non-session cookies\n• CSRF token verification missing from pages (unless you can do something impactful with the request)\n• Autocomplete enabled\n• Banner disclosures\n• Session timeout/expiration issues\n• Window.opener issues\n• Clickjacking\n• Invalid or stale employee credential dumps - we already monitor haveibeenpwned.com and other sources for dumps of this nature\n• Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n• Text / content injection\n• Email spoofing directly or as it ties to any of our contact forms\n• Rate-limiting, brute-forcing, and/or credential stuffing on endpoints\n• User credentials found in online repositories or other publicly accessible dumps\n• Generic error messages\n• Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)\n• Attacks that only work against yourself (e.g. host header injection, self-XSS, control-character injection)\n• Account-age issues on support.rockstargames.com\n• Issues regarding user-driven configurations of third-party authentication systems (e.g. 2FA not applying to such logins despite our notice here)\n• Recently released zero day vulnerabilities. Please give us time to patch.\n\nFinally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. **Recommendations for new controls or technologies are welcome, but they will be marked as Ineligible For Bounty unless they are accompanied by a valid exploit.** Thank you!\n\n***\n## Additional Opportunity: Private In-Game Bug Bounty Program\n\nIn order to help ensure the best quality experience for our players, we are working with the HackerOne community of security researchers to help us identify potential vulnerabilities in our games and non-web applications that have previously been out-of-scope. We will be accepting such reports through our private bounty program only; not on the public program you are currently visiting. \n\nBefore participating, please take careful note of the following rules. If your research does not follow these rules we cannot verify your report and your work will not be eligible for payment:\n\nThe privacy, security and experience of our users are of the utmost importance. **Under no circumstances may any of your testing negatively affect our users in any way**\n\n- Bans received while testing for issues will not be reversed\n- You may only use your own account(s) for testing\n- Reports with no security impact will be closed\n- Please do not report the following types of issues through this program:\n  - General game bugs\n  - Glitches (e.g. car duplication, wall hacks, etc.). If your issue can only be performed solely on a controller, it's probably a glitch\n  - Specific cheaters, mods, or mod developers, nor does this program apply to links to cheating forums, discords, social media handles, or any other references to known cheat / modding resources \n\nThe scope of the in-game bounty is currently limited to:\n\n- Grand Theft Auto V and Grand Theft Auto Online on the following platforms:\n  - PS4 / PS5\n  - Xbox One / Xbox Series X \u0026 S\n  - PC\n- Red Dead Redemption 2 and Red Dead Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 Companion App\n\nIn addition to the in-game bounty, we are still accepting reports for the targeted Incorrect Ban Bounty campaign, described in more detail further below.\n\nIn order to participate in either the in-game bounty or in the Targeted Bounty: GTA Online and Red Dead Online - Incorrect Ban Bounty campaign, please submit our [enrollment form](https://forms.office.com/r/7737UKLECX) and await an invitation to our private bounty program. **We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.**\n\n---------------\nTargeted Opportunity: GTA Online and Red Dead Online - Incorrect Ban Bounty\n---------------\nWe occasionally receive support tickets from people who have been suspended for cheating in Grand Theft Auto Online or Red Dead Online, denying that any cheating took place and claiming a “false-positive”. We take these claims seriously and investigate them thoroughly. However, we have yet to find any evidence to support these claims.\n\nWe are offering a **$10,000 bounty** for any researcher who can successfully identify a reproducible incorrect ban in GTA Online or Red Dead Online. The types of activities that people have claimed (but we do not believe) to have caused bans include: using legitimate visual overlays (e.g. FPS) or audio chat integrations, other players spamming the in-game reporting system and having cash/rank forced on them by modders, but please do not limit yourselves to investigating these methods.\n\nOur focus is on continuing to ensure that our anti-cheat system does not ban anyone who is playing the game normally and consistently with our terms of service. Any reports that are inconsistent with the spirit of what we are focused on will be ineligible for a bounty and closed. Furthermore, no complaints or commentary about existing bans will be reviewed. Note that bans incurred as a result of violating our terms of service will not be reversed. However, if anybody were to successfully illustrate a reproducible inappropriate ban, any banned test accounts would of course be restored.\n\nAs stated above, in order to participate please submit our enrollment form and await an invitation to our private bounty program. We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-02-19T14:10:11.029Z"},{"id":3732332,"new_policy":"## Statement\n\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n# Rewards\n\nOur minimum bounty for successful vulnerability submissions is $150. Please refer to the table below for bounty ranges based on report severity. All bounties will ultimately be paid out at our discretion based on severity, likelihood, and impact.\n\n###Bounty Table:\n|Severity |Examples |Typical Bounty Range|\n--- | --- | --- \n|Informational|Text injection, non-impactful CSRF, non-sensitive Information Disclosure, Brute Force, Employee credential exposure*| $0|\n|Low|Open Redirects, CSRF, XSS with low impact, domain takeover of unused domain, Social Club account privacy issues (highly variable)| $150-$500|\n|Medium|Reflected/DOM-based XSS, cache poisoning, SSRF| $500-$1,000|\n|High|Stored XSS, local privilege escalation, full authentication bypass| $1,000-$2,000|\n|Critical|SQL injection, remote code execution|$2,500-$25,000+**|\n*:Reports of employee credentials found online will be closed as \"Informative\", but we may award bonuses for source disclosures on a case-by-case basis\n**: Bounty will vary widely based on severity, likelihood, and impact.\n\n\n## Scope\n\nThe current scope is limited to the domains and applications listed below. No authorization is given to test any other video game titles, web applications, mobile applications, or desktop applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program. For more information about testing video game titles and other particular applications, please see our statement below regarding our private program.\n\n## Responsible Disclosure and Guidelines\n\nFor your submission to qualify for a bounty, you must:\n\n- Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program\n- Be the first to submit this particular vulnerability\n- Not disclose or discuss the vulnerability outside of this program before or after submitting it\n\n## Eligibility\n\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty. \n\nThe following attributes are expected in a valid submission:\n\n- The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n- Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it\n- What is the potential impact of the bug?\n- How could a malicious user potentially benefit from this issue?\n- For reports on the domain 'support.rockstargames.com', if you must make test posts in the forums, you must include \"test\" in the title. Failure to do so may result in your tests being deleted and your report marked \"Ineligible for Bounty\"\n\nSubmitting multiple reports pointing out the exact same vulnerability across multiple hosts will be treated as Duplicates of the first report submitted. However, we may award bonuses at our discretion if you assist us by pointing out every instance of a vulnerability (Example scenario: Submitting 3 separate reports regarding a vulnerability to CVE-2099-12345 on vulnhost1.rockstargames.com, vulnhost2.rockstargames.com, and vulnhost3.rockstargames.com)\n\n## Exclusions\n\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n\n- Attacks involving physical access to a user's device, Rockstar property or data centers\n- Social engineering of users, Rockstar staff or contractors\n- Denial-of-service attacks\n- Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n- Results from automated tools without any manual confirmation\n- Bugs affecting 3rd party sites that consume data from Social Club\n- Any similar action that interferes with a user's privacy, security or experience\n\nThe following sorts of technical issues are also excluded:\n\n• Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n• SSL/TLS configuration issues, such as: Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n• Strict transport security (HSTP/HSTS) is not enforced\n• Lack of HTTPOnly or secure flag on non-session cookies\n• CSRF token verification missing from pages (unless you can do something impactful with the request)\n• Autocomplete enabled\n• Banner disclosures\n• Session timeout/expiration issues\n• Window.opener issues\n• Clickjacking\n• Invalid or stale employee credential dumps - we already monitor haveibeenpwned.com and other sources for dumps of this nature\n• Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n• Text / content injection\n• Email spoofing directly or as it ties to any of our contact forms\n• Rate-limiting, brute-forcing, and/or credential stuffing on endpoints\n• User credentials found in online repositories or other publicly accessible dumps\n• Generic error messages\n• Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)\n• Attacks that only work against yourself (e.g. host header injection, self-XSS, control-character injection)\n• Account-age issues on support.rockstargames.com\n• Issues regarding user-driven configurations of third-party authentication systems (e.g. 2FA not applying to such logins despite our notice here)\n• Recently released zero day vulnerabilities. Please give us time to patch.\n\nFinally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. **Recommendations for new controls or technologies are welcome, but they will be marked as Ineligible For Bounty unless they are accompanied by a valid exploit.** Thank you!\n\n***\n## Additional Opportunity: Private In-Game Bug Bounty Program\n\nIn order to help ensure the best quality experience for our players, we are working with the HackerOne community of security researchers to help us identify potential vulnerabilities in our games and non-web applications that have previously been out-of-scope. We will be accepting such reports through our private bounty program only; not on the public program you are currently visiting. \n\nBefore participating, please take careful note of the following rules. If your research does not follow these rules we cannot verify your report and your work will not be eligible for payment:\n\nThe privacy, security and experience of our users are of the utmost importance. **Under no circumstances may any of your testing negatively affect our users in any way**\n\n- Bans received while testing for issues will not be reversed\n- You may only use your own account(s) for testing\n- Reports with no security impact will be closed\n- Please do not report the following types of issues through this program:\n  - General game bugs\n  - Glitches (e.g. car duplication, wall hacks, etc.). If your issue can only be performed solely on a controller, it's probably a glitch\n  - Specific cheaters, mods, or mod developers, nor does this program apply to links to cheating forums, discords, social media handles, or any other references to known cheat / modding resources \n\nThe scope of the in-game bounty is currently limited to:\n\n- Grand Theft Auto V and Grand Theft Auto Online on the following platforms:\n  - PS4 / PS5\n  - Xbox One / Xbox Series X \u0026 S\n  - PC\n- Red Dead Redemption 2 and Red Dead Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 Companion App\n\nIn addition to the in-game bounty, we are still accepting reports for the targeted Incorrect Ban Bounty campaign, described in more detail further below.\n\nIn order to participate in either the in-game bounty or in the Targeted Bounty: GTA Online and Red Dead Online - Incorrect Ban Bounty campaign, please submit our [enrollment form](https://forms.office.com/r/7737UKLECX) and await an invitation to our private bounty program. **We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.**\n\n---------------\nTargeted Opportunity: GTA Online and Red Dead Online - Incorrect Ban Bounty\n---------------\nWe occasionally receive support tickets from people who have been suspended for cheating in Grand Theft Auto Online or Red Dead Online, denying that any cheating took place and claiming a “false-positive”. We take these claims seriously and investigate them thoroughly. However, we have yet to find any evidence to support these claims.\n\nWe are offering a **$10,000 bounty** for any researcher who can successfully identify a reproducible incorrect ban in GTA Online or Red Dead Online. The types of activities that people have claimed (but we do not believe) to have caused bans include: using legitimate visual overlays (e.g. FPS) or audio chat integrations, other players spamming the in-game reporting system and having cash/rank forced on them by modders, but please do not limit yourselves to investigating these methods.\n\nOur focus is on continuing to ensure that our anti-cheat system does not ban anyone who is playing the game normally and consistently with our terms of service. Any reports that are inconsistent with the spirit of what we are focused on will be ineligible for a bounty and closed. Furthermore, no complaints or commentary about existing bans will be reviewed. Note that bans incurred as a result of violating our terms of service will not be reversed. However, if anybody were to successfully illustrate a reproducible inappropriate ban, any banned test accounts would of course be restored.\n\nAs stated above, in order to participate please submit our enrollment form and await an invitation to our private bounty program. We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-15T18:10:18.812Z"},{"id":3721422,"new_policy":"## Statement\n\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n# Rewards\n\nOur minimum bounty for successful vulnerability submissions is $150. Please refer to the table below for bounty ranges based on report severity. All bounties will ultimately be paid out at our discretion based on severity, likelihood, and impact.\n\n###Bounty Table:\n|Severity |Examples |Typical Bounty Range|\n--- | --- | --- \n|Informational|Text injection, non-impactful CSRF, non-sensitive Information Disclosure, Brute Force, Employee credential exposure*| $0|\n|Low|Open Redirects, CSRF, XSS with low impact, domain takeover of unused domain, Social Club account privacy issues (highly variable)| $150-$500|\n|Medium|Reflected/DOM-based XSS, cache poisoning, SSRF| $500-$1,000|\n|High|Stored XSS, local privilege escalation, full authentication bypass| $750-$1,500|\n|Critical|SQL injection, remote code execution|$2,500-$25,000+**|\n*:Reports of employee credentials found online will be closed as \"Informative\", but we may award bonuses for source disclosures on a case-by-case basis\n**: Bounty will vary widely based on severity, likelihood, and impact.\n\n\n## Scope\n\nThe current scope is limited to the domains and applications listed below. No authorization is given to test any other video game titles, web applications, mobile applications, or desktop applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program. For more information about testing video game titles and other particular applications, please see our statement below regarding our private program.\n\n## Responsible Disclosure and Guidelines\n\nFor your submission to qualify for a bounty, you must:\n\n- Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program\n- Be the first to submit this particular vulnerability\n- Not disclose or discuss the vulnerability outside of this program before or after submitting it\n\n## Eligibility\n\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty. \n\nThe following attributes are expected in a valid submission:\n\n- The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n- Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it\n- What is the potential impact of the bug?\n- How could a malicious user potentially benefit from this issue?\n- For reports on the domain 'support.rockstargames.com', if you must make test posts in the forums, you must include \"test\" in the title. Failure to do so may result in your tests being deleted and your report marked \"Ineligible for Bounty\"\n\nSubmitting multiple reports pointing out the exact same vulnerability across multiple hosts will be treated as Duplicates of the first report submitted. However, we may award bonuses at our discretion if you assist us by pointing out every instance of a vulnerability (Example scenario: Submitting 3 separate reports regarding a vulnerability to CVE-2099-12345 on vulnhost1.rockstargames.com, vulnhost2.rockstargames.com, and vulnhost3.rockstargames.com)\n\n## Exclusions\n\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n\n- Attacks involving physical access to a user's device, Rockstar property or data centers\n- Social engineering of users, Rockstar staff or contractors\n- Denial-of-service attacks\n- Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n- Results from automated tools without any manual confirmation\n- Bugs affecting 3rd party sites that consume data from Social Club\n- Any similar action that interferes with a user's privacy, security or experience\n\nThe following sorts of technical issues are also excluded:\n\n• Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n• SSL/TLS configuration issues, such as: Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n• Strict transport security (HSTP/HSTS) is not enforced\n• Lack of HTTPOnly or secure flag on non-session cookies\n• CSRF token verification missing from pages (unless you can do something impactful with the request)\n• Autocomplete enabled\n• Banner disclosures\n• Session timeout/expiration issues\n• Window.opener issues\n• Clickjacking\n• Invalid or stale employee credential dumps - we already monitor haveibeenpwned.com and other sources for dumps of this nature\n• Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n• Text / content injection\n• Email spoofing directly or as it ties to any of our contact forms\n• Rate-limiting, brute-forcing, and/or credential stuffing on endpoints\n• User credentials found in online repositories or other publicly accessible dumps\n• Generic error messages\n• Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)\n• Attacks that only work against yourself (e.g. host header injection, self-XSS, control-character injection)\n• Account-age issues on support.rockstargames.com\n• Issues regarding user-driven configurations of third-party authentication systems (e.g. 2FA not applying to such logins despite our notice here)\n• Recently released zero day vulnerabilities. Please give us time to patch.\n\nFinally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. **Recommendations for new controls or technologies are welcome, but they will be marked as Ineligible For Bounty unless they are accompanied by a valid exploit.** Thank you!\n\n***\n## Additional Opportunity: Private In-Game Bug Bounty Program\n\nIn order to help ensure the best quality experience for our players, we are working with the HackerOne community of security researchers to help us identify potential vulnerabilities in our games and non-web applications that have previously been out-of-scope. We will be accepting such reports through our private bounty program only; not on the public program you are currently visiting. \n\nBefore participating, please take careful note of the following rules. If your research does not follow these rules we cannot verify your report and your work will not be eligible for payment:\n\nThe privacy, security and experience of our users are of the utmost importance. **Under no circumstances may any of your testing negatively affect our users in any way**\n\n- Bans received while testing for issues will not be reversed\n- You may only use your own account(s) for testing\n- Reports with no security impact will be closed\n- Please do not report the following types of issues through this program:\n  - General game bugs\n  - Glitches (e.g. car duplication, wall hacks, etc.). If your issue can only be performed solely on a controller, it's probably a glitch\n  - Specific cheaters, mods, or mod developers, nor does this program apply to links to cheating forums, discords, social media handles, or any other references to known cheat / modding resources \n\nThe scope of the in-game bounty is currently limited to:\n\n- Grand Theft Auto V and Grand Theft Auto Online on the following platforms:\n  - PS4 / PS5\n  - Xbox One / Xbox Series X \u0026 S\n  - PC\n- Red Dead Redemption 2 and Red Dead Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 Companion App\n\nIn addition to the in-game bounty, we are still accepting reports for the targeted Incorrect Ban Bounty campaign, described in more detail further below.\n\nIn order to participate in either the in-game bounty or in the Targeted Bounty: GTA Online and Red Dead Online - Incorrect Ban Bounty campaign, please submit our [enrollment form](https://forms.office.com/r/7737UKLECX) and await an invitation to our private bounty program. **We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.**\n\n---------------\nTargeted Opportunity: GTA Online and Red Dead Online - Incorrect Ban Bounty\n---------------\nWe occasionally receive support tickets from people who have been suspended for cheating in Grand Theft Auto Online or Red Dead Online, denying that any cheating took place and claiming a “false-positive”. We take these claims seriously and investigate them thoroughly. However, we have yet to find any evidence to support these claims.\n\nWe are offering a **$10,000 bounty** for any researcher who can successfully identify a reproducible incorrect ban in GTA Online or Red Dead Online. The types of activities that people have claimed (but we do not believe) to have caused bans include: using legitimate visual overlays (e.g. FPS) or audio chat integrations, other players spamming the in-game reporting system and having cash/rank forced on them by modders, but please do not limit yourselves to investigating these methods.\n\nOur focus is on continuing to ensure that our anti-cheat system does not ban anyone who is playing the game normally and consistently with our terms of service. Any reports that are inconsistent with the spirit of what we are focused on will be ineligible for a bounty and closed. Furthermore, no complaints or commentary about existing bans will be reviewed. Note that bans incurred as a result of violating our terms of service will not be reversed. However, if anybody were to successfully illustrate a reproducible inappropriate ban, any banned test accounts would of course be restored.\n\nAs stated above, in order to participate please submit our enrollment form and await an invitation to our private bounty program. We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-25T16:48:40.270Z"},{"id":3714612,"new_policy":"## Statement\n\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n# Rewards\n\nOur minimum bounty for successful vulnerability submissions is $150. Please refer to the table below for bounty ranges based on report severity. All bounties will ultimately be paid out at our discretion based on severity, likelihood, and impact.\n\n###Bounty Table:\n|Severity |Examples |Typical Bounty Range|\n--- | --- | --- \n|Informational|Text injection, non-impactful CSRF, non-sensitive Information Disclosure, Brute Force, Employee credential exposure*| $0|\n|Low|Open Redirects, CSRF, XSS with low impact, domain takeover of unused domain, Social Club account privacy issues (highly variable)| $150-$500|\n|Medium|Reflected/DOM-based XSS, cache poisoning, SSRF| $500-$1,000|\n|High|Stored XSS, local privilege escalation, full authentication bypass| $750-$1,500|\n|Critical|SQL injection, remote code execution|$2,500-$25,000+**|\n*:Reports of employee credentials found online will be closed as \"Informative\", but we may award bonuses for source disclosures on a case-by-case basis\n**: Bounty will vary widely based on severity, likelihood, and impact.\n\n\n## Scope\n\nThe current scope is limited to the domains and applications listed below. No authorization is given to test any other video game titles, web applications, mobile applications, or desktop applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program. For more information about testing video game titles and other particular applications, please see our statement below regarding our private program.\n\n## Responsible Disclosure and Guidelines\n\nFor your submission to qualify for a bounty, you must:\n\n- Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program\n- Be the first to submit this particular vulnerability\n- Not disclose or discuss the vulnerability outside of this program before or after submitting it\n\n## Eligibility\n\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty. \n\nThe following attributes are expected in a valid submission:\n\n- The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n- Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it\n- What is the potential impact of the bug?\n- How could a malicious user potentially benefit from this issue?\n- For reports on the domain 'support.rockstargames.com', if you must make test posts in the forums, you must include \"test\" in the title. Failure to do so may result in your tests being deleted and your report marked \"Ineligible for Bounty\"\n\nSubmitting multiple reports pointing out the exact same vulnerability across multiple hosts will be treated as Duplicates of the first report submitted. However, we may award bonuses at our discretion if you assist us by pointing out every instance of a vulnerability (Example scenario: Submitting 3 separate reports regarding a vulnerability to CVE-2099-12345 on vulnhost1.rockstargames.com, vulnhost2.rockstargames.com, and vulnhost3.rockstargames.com)\n\n## Exclusions\n\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n\n- Attacks involving physical access to a user's device, Rockstar property or data centers\n- Social engineering of users, Rockstar staff or contractors\n- Denial-of-service attacks\n- Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n- Results from automated tools without any manual confirmation\n- Bugs affecting 3rd party sites that consume data from Social Club\n- Any similar action that interferes with a user's privacy, security or experience\n\nThe following sorts of technical issues are also excluded:\n\n• Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n• SSL/TLS configuration issues, such as: Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n• Strict transport security (HSTP/HSTS) is not enforced\n• Lack of HTTPOnly or secure flag on non-session cookies\n• CSRF token verification missing from pages (unless you can do something impactful with the request)\n• Autocomplete enabled\n• Banner disclosures\n• Session timeout/expiration issues\n• Window.opener issues\n• Clickjacking\n• Invalid or stale employee credential dumps - we already monitor haveibeenpwned.com and other sources for dumps of this nature\n• Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n• Text / content injection\n• Email spoofing directly or as it ties to any of our contact forms\n• Rate-limiting, brute-forcing, and/or credential stuffing on endpoints\n• Generic error messages\n• Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)\n• Attacks that only work against yourself (e.g. host header injection, self-XSS, control-character injection)\n• Account-age issues on support.rockstargames.com\n• Issues regarding user-driven configurations of third-party authentication systems (e.g. 2FA not applying to such logins despite our notice here)\n• Recently released zero day vulnerabilities. Please give us time to patch.\n\nFinally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. **Recommendations for new controls or technologies are welcome, but they will be marked as Ineligible For Bounty unless they are accompanied by a valid exploit.** Thank you!\n\n***\n## Additional Opportunity: Private In-Game Bug Bounty Program\n\nIn order to help ensure the best quality experience for our players, we are working with the HackerOne community of security researchers to help us identify potential vulnerabilities in our games and non-web applications that have previously been out-of-scope. We will be accepting such reports through our private bounty program only; not on the public program you are currently visiting. \n\nBefore participating, please take careful note of the following rules. If your research does not follow these rules we cannot verify your report and your work will not be eligible for payment:\n\nThe privacy, security and experience of our users are of the utmost importance. **Under no circumstances may any of your testing negatively affect our users in any way**\n\n- Bans received while testing for issues will not be reversed\n- You may only use your own account(s) for testing\n- Reports with no security impact will be closed\n- Please do not report the following types of issues through this program:\n  - General game bugs\n  - Glitches (e.g. car duplication, wall hacks, etc.). If your issue can only be performed solely on a controller, it's probably a glitch\n  - Specific cheaters, mods, or mod developers, nor does this program apply to links to cheating forums, discords, social media handles, or any other references to known cheat / modding resources \n\nThe scope of the in-game bounty is currently limited to:\n\n- Grand Theft Auto V and Grand Theft Auto Online on the following platforms:\n  - PS4 / PS5\n  - Xbox One / Xbox Series X \u0026 S\n  - PC\n- Red Dead Redemption 2 and Red Dead Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 Companion App\n\nIn addition to the in-game bounty, we are still accepting reports for the targeted Incorrect Ban Bounty campaign, described in more detail further below.\n\nIn order to participate in either the in-game bounty or in the Targeted Bounty: GTA Online and Red Dead Online - Incorrect Ban Bounty campaign, please submit our [enrollment form](https://forms.office.com/r/7737UKLECX) and await an invitation to our private bounty program. **We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.**\n\n---------------\nTargeted Opportunity: GTA Online and Red Dead Online - Incorrect Ban Bounty\n---------------\nWe occasionally receive support tickets from people who have been suspended for cheating in Grand Theft Auto Online or Red Dead Online, denying that any cheating took place and claiming a “false-positive”. We take these claims seriously and investigate them thoroughly. However, we have yet to find any evidence to support these claims.\n\nWe are offering a **$10,000 bounty** for any researcher who can successfully identify a reproducible incorrect ban in GTA Online or Red Dead Online. The types of activities that people have claimed (but we do not believe) to have caused bans include: using legitimate visual overlays (e.g. FPS) or audio chat integrations, other players spamming the in-game reporting system and having cash/rank forced on them by modders, but please do not limit yourselves to investigating these methods.\n\nOur focus is on continuing to ensure that our anti-cheat system does not ban anyone who is playing the game normally and consistently with our terms of service. Any reports that are inconsistent with the spirit of what we are focused on will be ineligible for a bounty and closed. Furthermore, no complaints or commentary about existing bans will be reviewed. Note that bans incurred as a result of violating our terms of service will not be reversed. However, if anybody were to successfully illustrate a reproducible inappropriate ban, any banned test accounts would of course be restored.\n\nAs stated above, in order to participate please submit our enrollment form and await an invitation to our private bounty program. We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-14T18:16:02.171Z"},{"id":3703800,"new_policy":"## Statement\n\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n# Rewards\n\nOur minimum bounty for successful vulnerability submissions is $150. Please refer to the table below for bounty ranges based on report severity. All bounties will ultimately be paid out at our discretion based on severity, likelihood, and impact.\n\n###Bounty Table:\n|Severity |Examples |Typical Bounty Range|\n--- | --- | --- \n|Informational|Text injection, non-impactful CSRF, non-sensitive Information Disclosure, Brute Force, Employee credential exposure*| $0|\n|Low|Open Redirects, CSRF, XSS with low impact, domain takeover of unused domain, Social Club account privacy issues (highly variable)| $150-$500|\n|Medium|Reflected/DOM-based XSS, cache poisoning, SSRF| $500-$1,000|\n|High|Stored XSS, local privilege escalation, full authentication bypass| $750-$1,500|\n|Critical|SQL injection, remote code execution|$2,500-$25,000+**|\n*:Reports of employee credentials found online will be closed as \"Informative\", but we may award bonuses for source disclosures on a case-by-case basis\n**: Bounty will vary widely based on severity, likelihood, and impact.\n\n\n## Scope\n\nThe current scope is limited to the domains and applications listed below. No authorization is given to test any other video game titles, web applications, mobile applications, or desktop applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program. For more information about testing video game titles and other particular applications, please see our statement below regarding our private program.\n\n## Responsible Disclosure and Guidelines\n\nFor your submission to qualify for a bounty, you must:\n\n- Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program\n- Be the first to submit this particular vulnerability\n- Not disclose or discuss the vulnerability outside of this program before or after submitting it\n\n## Eligibility\n\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty. \n\nThe following attributes are expected in a valid submission:\n\n- The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n- Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it\n- What is the potential impact of the bug?\n- How could a malicious user potentially benefit from this issue?\n- For reports on the domain 'support.rockstargames.com', if you must make test posts in the forums, you must include \"test\" in the title. Failure to do so may result in your tests being deleted and your report marked \"Ineligible for Bounty\"\n\n## Exclusions\n\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n\n- Attacks involving physical access to a user's device, Rockstar property or data centers\n- Social engineering of users, Rockstar staff or contractors\n- Denial-of-service attacks\n- Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n- Results from automated tools without any manual confirmation\n- Bugs affecting 3rd party sites that consume data from Social Club\n- Any similar action that interferes with a user's privacy, security or experience\n\nThe following sorts of technical issues are also excluded:\n\n• Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n• SSL/TLS configuration issues, such as: Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n• Strict transport security (HSTP/HSTS) is not enforced\n• Lack of HTTPOnly or secure flag on non-session cookies\n• CSRF token verification missing from pages (unless you can do something impactful with the request)\n• Autocomplete enabled\n• Banner disclosures\n• Session timeout/expiration issues\n• Window.opener issues\n• Clickjacking\n• Invalid or stale employee credential dumps - we already monitor haveibeenpwned.com and other sources for dumps of this nature\n• Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n• Text / content injection\n• Email spoofing directly or as it ties to any of our contact forms\n• Rate-limiting, brute-forcing, and/or credential stuffing on endpoints\n• Generic error messages\n• Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)\n• Attacks that only work against yourself (e.g. host header injection, self-XSS, control-character injection)\n• Account-age issues on support.rockstargames.com\n• Issues regarding user-driven configurations of third-party authentication systems (e.g. 2FA not applying to such logins despite our notice here)\n• Recently released zero day vulnerabilities. Please give us time to patch.\n\nFinally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. **Recommendations for new controls or technologies are welcome, but they will be marked as Ineligible For Bounty unless they are accompanied by a valid exploit.** Thank you!\n\n***\n## Additional Opportunity: Private In-Game Bug Bounty Program\n\nIn order to help ensure the best quality experience for our players, we are working with the HackerOne community of security researchers to help us identify potential vulnerabilities in our games and non-web applications that have previously been out-of-scope. We will be accepting such reports through our private bounty program only; not on the public program you are currently visiting. \n\nBefore participating, please take careful note of the following rules. If your research does not follow these rules we cannot verify your report and your work will not be eligible for payment:\n\nThe privacy, security and experience of our users are of the utmost importance. **Under no circumstances may any of your testing negatively affect our users in any way**\n\n- Bans received while testing for issues will not be reversed\n- You may only use your own account(s) for testing\n- Reports with no security impact will be closed\n- Please do not report the following types of issues through this program:\n  - General game bugs\n  - Glitches (e.g. car duplication, wall hacks, etc.). If your issue can only be performed solely on a controller, it's probably a glitch\n  - Specific cheaters, mods, or mod developers, nor does this program apply to links to cheating forums, discords, social media handles, or any other references to known cheat / modding resources \n\nThe scope of the in-game bounty is currently limited to:\n\n- Grand Theft Auto V and Grand Theft Auto Online on the following platforms:\n  - PS4 / PS5\n  - Xbox One / Xbox Series X \u0026 S\n  - PC\n- Red Dead Redemption 2 and Red Dead Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 Companion App\n\nIn addition to the in-game bounty, we are still accepting reports for the targeted Incorrect Ban Bounty campaign, described in more detail further below.\n\nIn order to participate in either the in-game bounty or in the Targeted Bounty: GTA Online and Red Dead Online - Incorrect Ban Bounty campaign, please submit our [enrollment form](https://forms.office.com/r/7737UKLECX) and await an invitation to our private bounty program. **We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.**\n\n---------------\nTargeted Opportunity: GTA Online and Red Dead Online - Incorrect Ban Bounty\n---------------\nWe occasionally receive support tickets from people who have been suspended for cheating in Grand Theft Auto Online or Red Dead Online, denying that any cheating took place and claiming a “false-positive”. We take these claims seriously and investigate them thoroughly. However, we have yet to find any evidence to support these claims.\n\nWe are offering a **$10,000 bounty** for any researcher who can successfully identify a reproducible incorrect ban in GTA Online or Red Dead Online. The types of activities that people have claimed (but we do not believe) to have caused bans include: using legitimate visual overlays (e.g. FPS) or audio chat integrations, other players spamming the in-game reporting system and having cash/rank forced on them by modders, but please do not limit yourselves to investigating these methods.\n\nOur focus is on continuing to ensure that our anti-cheat system does not ban anyone who is playing the game normally and consistently with our terms of service. Any reports that are inconsistent with the spirit of what we are focused on will be ineligible for a bounty and closed. Furthermore, no complaints or commentary about existing bans will be reviewed. Note that bans incurred as a result of violating our terms of service will not be reversed. However, if anybody were to successfully illustrate a reproducible inappropriate ban, any banned test accounts would of course be restored.\n\nAs stated above, in order to participate please submit our enrollment form and await an invitation to our private bounty program. We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-09-26T19:05:21.439Z"},{"id":3683626,"new_policy":"## Statement\n\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n# Rewards\n\nOur minimum bounty for successful vulnerability submissions is $150. Please refer to the table below for bounty ranges based on report severity. All bounties will ultimately be paid out at our discretion based on severity, likelihood, and impact.\n\n###Bounty Table:\n|Severity |Examples |Typical Bounty Range|\n--- | --- | --- \n|Informational|Text injection, non-impactful CSRF, non-sensitive Information Disclosure, Brute Force| $0|\n|Low|Open Redirects, CSRF, XSS with low impact, domain takeover of unused domain, Social Club account privacy issues (highly variable)| $150-$500|\n|Medium|Reflected/DOM-based XSS, cache poisoning, SSRF| $500-$1,000|\n|High|Stored XSS, local privilege escalation, full authentication bypass| $750-$1,500|\n|Critical|SQL injection, remote code execution|$2,500-$25,000+*|\n*: Bounty will vary widely based on severity, likelihood, and impact.\n\n\n## Scope\n\nThe current scope is limited to the domains and applications listed below. No authorization is given to test any other video game titles, web applications, mobile applications, or desktop applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program. For more information about testing video game titles and other particular applications, please see our statement below regarding our private program.\n\n## Responsible Disclosure and Guidelines\n\nFor your submission to qualify for a bounty, you must:\n\n- Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program\n- Be the first to submit this particular vulnerability\n- Not disclose or discuss the vulnerability outside of this program before or after submitting it\n\n## Eligibility\n\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty. \n\nThe following attributes are expected in a valid submission:\n\n- The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n- Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it\n- What is the potential impact of the bug?\n- How could a malicious user potentially benefit from this issue?\n- For reports on the domain 'support.rockstargames.com', if you must make test posts in the forums, you must include \"test\" in the title. Failure to do so may result in your tests being deleted and your report marked \"Ineligible for Bounty\"\n\n## Exclusions\n\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n\n- Attacks involving physical access to a user's device, Rockstar property or data centers\n- Social engineering of users, Rockstar staff or contractors\n- Denial-of-service attacks\n- Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n- Results from automated tools without any manual confirmation\n- Bugs affecting 3rd party sites that consume data from Social Club\n- Any similar action that interferes with a user's privacy, security or experience\n\nThe following sorts of technical issues are also excluded:\n\n• Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n• SSL/TLS configuration issues, such as: Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n• Strict transport security (HSTP/HSTS) is not enforced\n• Lack of HTTPOnly or secure flag on non-session cookies\n• CSRF token verification missing from pages (unless you can do something impactful with the request)\n• Autocomplete enabled\n• Banner disclosures\n• Session timeout/expiration issues\n• Window.opener issues\n• Clickjacking\n• Invalid or stale employee credential dumps - we already monitor haveibeenpwned.com and other sources for dumps of this nature\n• Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n• Text / content injection\n• Email spoofing directly or as it ties to any of our contact forms\n• Rate-limiting, brute-forcing, and/or credential stuffing on endpoints\n• Generic error messages\n• Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)\n• Attacks that only work against yourself (e.g. host header injection, self-XSS, control-character injection)\n• Account-age issues on support.rockstargames.com\n• Issues regarding user-driven configurations of third-party authentication systems (e.g. 2FA not applying to such logins despite our notice here)\n• Recently released zero day vulnerabilities. Please give us time to patch.\n\nFinally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. **Recommendations for new controls or technologies are welcome, but they will be marked as Ineligible For Bounty unless they are accompanied by a valid exploit.** Thank you!\n\n***\n## Additional Opportunity: Private In-Game Bug Bounty Program\n\nIn order to help ensure the best quality experience for our players, we are working with the HackerOne community of security researchers to help us identify potential vulnerabilities in our games and non-web applications that have previously been out-of-scope. We will be accepting such reports through our private bounty program only; not on the public program you are currently visiting. \n\nBefore participating, please take careful note of the following rules. If your research does not follow these rules we cannot verify your report and your work will not be eligible for payment:\n\nThe privacy, security and experience of our users are of the utmost importance. **Under no circumstances may any of your testing negatively affect our users in any way**\n\n- Bans received while testing for issues will not be reversed\n- You may only use your own account(s) for testing\n- Reports with no security impact will be closed\n- Please do not report the following types of issues through this program:\n  - General game bugs\n  - Glitches (e.g. car duplication, wall hacks, etc.). If your issue can only be performed solely on a controller, it's probably a glitch\n  - Specific cheaters, mods, or mod developers, nor does this program apply to links to cheating forums, discords, social media handles, or any other references to known cheat / modding resources \n\nThe scope of the in-game bounty is currently limited to:\n\n- Grand Theft Auto V and Grand Theft Auto Online on the following platforms:\n  - PS4 / PS5\n  - Xbox One / Xbox Series X \u0026 S\n  - PC\n- Red Dead Redemption 2 and Red Dead Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 Companion App\n\nIn addition to the in-game bounty, we are still accepting reports for the targeted Incorrect Ban Bounty campaign, described in more detail further below.\n\nIn order to participate in either the in-game bounty or in the Targeted Bounty: GTA Online and Red Dead Online - Incorrect Ban Bounty campaign, please submit our [enrollment form](https://forms.office.com/r/7737UKLECX) and await an invitation to our private bounty program. **We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.**\n\n---------------\nTargeted Opportunity: GTA Online and Red Dead Online - Incorrect Ban Bounty\n---------------\nWe occasionally receive support tickets from people who have been suspended for cheating in Grand Theft Auto Online or Red Dead Online, denying that any cheating took place and claiming a “false-positive”. We take these claims seriously and investigate them thoroughly. However, we have yet to find any evidence to support these claims.\n\nWe are offering a **$10,000 bounty** for any researcher who can successfully identify a reproducible incorrect ban in GTA Online or Red Dead Online. The types of activities that people have claimed (but we do not believe) to have caused bans include: using legitimate visual overlays (e.g. FPS) or audio chat integrations, other players spamming the in-game reporting system and having cash/rank forced on them by modders, but please do not limit yourselves to investigating these methods.\n\nOur focus is on continuing to ensure that our anti-cheat system does not ban anyone who is playing the game normally and consistently with our terms of service. Any reports that are inconsistent with the spirit of what we are focused on will be ineligible for a bounty and closed. Furthermore, no complaints or commentary about existing bans will be reviewed. Note that bans incurred as a result of violating our terms of service will not be reversed. However, if anybody were to successfully illustrate a reproducible inappropriate ban, any banned test accounts would of course be restored.\n\nAs stated above, in order to participate please submit our enrollment form and await an invitation to our private bounty program. We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-02-14T14:46:32.951Z"},{"id":3674150,"new_policy":"## Statement\n\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n# Rewards\n\nOur minimum bounty for successful vulnerability submissions is $150. Please refer to the table below for bounty ranges based on report severity. All bounties will ultimately be paid out at our discretion based on severity, likelihood, and impact.\n\n###Bounty Table:\n|Severity |Examples |Typical Bounty Range|\n--- | --- | --- \n|Informational|Text injection, non-impactful CSRF, non-sensitive Information Disclosure, Brute Force| $0|\n|Low|Open Redirects, CSRF, XSS with low impact, domain takeover of unused domain, Social Club account privacy issues (highly variable)| $150-$500|\n|Medium|Reflected/DOM-based XSS, cache poisoning, SSRF| $500-$1,000|\n|High|Stored XSS, local privilege escalation, full authentication bypass| $750-$1,500|\n|Critical|SQL injection, remote code execution|$2,500-$25,000+*|\n*: Bounty will vary widely based on severity, likelihood, and impact.\n\n\n## Scope\n\nThe current scope is limited to the domains and applications listed below. No authorization is given to test any other video game titles, web applications, mobile applications, or desktop applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program. For more information about testing video game titles and other particular applications, please see our statement below regarding our private program.\n\n## Responsible Disclosure and Guidelines\n\nFor your submission to qualify for a bounty, you must:\n\n- Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program\n- Be the first to submit this particular vulnerability\n- Not disclose or discuss the vulnerability outside of this program before or after submitting it\n\n## Eligibility\n\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty. \n\nThe following attributes are expected in a valid submission:\n\n- The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n- Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it\n- What is the potential impact of the bug?\n- How could a malicious user potentially benefit from this issue?\n- For reports on the domain 'support.rockstargames.com', if you must make test posts in the forums, you must include \"test\" in the title. Failure to do so may result in your tests being deleted and your report marked \"Ineligible for Bounty\"\n\n## Exclusions\n\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n\n- Attacks involving physical access to a user's device, Rockstar property or data centers\n- Social engineering of users, Rockstar staff or contractors\n- Denial-of-service attacks\n- Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n- Results from automated tools without any manual confirmation\n- Bugs affecting 3rd party sites that consume data from Social Club\n- Any similar action that interferes with a user's privacy, security or experience\n\nThe following sorts of technical issues are also excluded:\n\n• Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n• SSL/TLS configuration issues, such as: Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n• Strict transport security (HSTP/HSTS) is not enforced\n• Lack of HTTPOnly or secure flag on non-session cookies\n• CSRF token verification missing from pages (unless you can do something impactful with the request)\n• Autocomplete enabled\n• Banner disclosures\n• Session timeout/expiration issues\n• Window.opener issues\n• Clickjacking\n• Invalid or stale employee credential dumps - we already monitor haveibeenpwned.com and other sources for dumps of this nature\n• Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n• Text / content injection\n• Email spoofing directly or as it ties to any of our contact forms\n• Rate-limiting, brute-forcing, and/or credential stuffing on endpoints\n• Generic error messages\n• Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)\n• Attacks that only work against yourself (e.g. host header injection, self-XSS, control-character injection)\n• Account-age issues on support.rockstargames.com\n• Issues regarding user-driven configurations of third-party authentication systems (e.g. 2FA not applying to such logins despite our notice here)\n• Recently released zero day vulnerabilities. Please give us time to patch.\n\nFinally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. **Recommendations for new controls or technologies are welcome, but they will be marked as Ineligible For Bounty unless they are accompanied by a valid exploit.** Thank you!\n\n***\n## Additional Opportunity: Private In-Game Bug Bounty Program\n\nIn order to help ensure the best quality experience for our players, we are working with the HackerOne community of security researchers to help us identify potential vulnerabilities in our games and non-web applications that have previously been out-of-scope. We will be accepting such reports through our private bounty program only; not on the public program you are currently visiting. \n\nBefore participating, please take careful note of the following rules. If your research does not follow these rules we cannot verify your report and your work will not be eligible for payment:\n\nThe privacy, security and experience of our users are of the utmost importance. **Under no circumstances may any of your testing negatively affect our users in any way**\n\n- Bans received while testing for issues will not be reversed\n- You may only use your own account(s) for testing\n- Reports with no security impact will be closed\n- Please do not report the following types of issues through this program:\n  - General game bugs\n  - Glitches (e.g. car duplication, wall hacks, etc.). If your issue can only be performed solely on a controller, it's probably a glitch\n  - Specific cheaters, mods, or mod developers, nor does this program apply to links to cheating forums, discords, social media handles, or any other references to known cheat / modding resources \n\nThe scope of the in-game bounty is currently limited to:\n\n- Grand Theft Auto V and Grand Theft Auto Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 and Red Dead Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 Companion App\n- iFruit Mobile App\n\nIn addition to the in-game bounty, we are still accepting reports for the targeted Incorrect Ban Bounty campaign, described in more detail further below.\n\nIn order to participate in either the in-game bounty or in the Targeted Bounty: GTA Online and Red Dead Online - Incorrect Ban Bounty campaign, please submit our [enrollment form](https://forms.office.com/r/7737UKLECX) and await an invitation to our private bounty program. **We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.**\n\n---------------\nTargeted Opportunity: GTA Online and Red Dead Online - Incorrect Ban Bounty\n---------------\nWe occasionally receive support tickets from people who have been suspended for cheating in Grand Theft Auto Online or Red Dead Online, denying that any cheating took place and claiming a “false-positive”. We take these claims seriously and investigate them thoroughly. However, we have yet to find any evidence to support these claims.\n\nWe are offering a **$10,000 bounty** for any researcher who can successfully identify a reproducible incorrect ban in GTA Online or Red Dead Online. The types of activities that people have claimed (but we do not believe) to have caused bans include: using legitimate visual overlays (e.g. FPS) or audio chat integrations, other players spamming the in-game reporting system and having cash/rank forced on them by modders, but please do not limit yourselves to investigating these methods.\n\nOur focus is on continuing to ensure that our anti-cheat system does not ban anyone who is playing the game normally and consistently with our terms of service. Any reports that are inconsistent with the spirit of what we are focused on will be ineligible for a bounty and closed. Furthermore, no complaints or commentary about existing bans will be reviewed. Note that bans incurred as a result of violating our terms of service will not be reversed. However, if anybody were to successfully illustrate a reproducible inappropriate ban, any banned test accounts would of course be restored.\n\nAs stated above, in order to participate please submit our enrollment form and await an invitation to our private bounty program. We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-07-12T20:53:18.242Z"},{"id":3659155,"new_policy":"## Statement\n\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n# Rewards\n\nOur minimum bounty for successful vulnerability submissions is $150. Please refer to the table below for bounty ranges based on report severity. All bounties will ultimately be paid out at our discretion based on severity, likelihood, and impact.\n\n###Bounty Table:\n|Severity |Examples |Typical Bounty Range|\n--- | --- | --- \n|Informational|Text injection, non-impactful CSRF, non-sensitive Information Disclosure, Brute Force| $0|\n|Low|Open Redirects, CSRF, XSS with low impact, domain takeover of unused domain, Social Club account privacy issues (highly variable)| $150-$500|\n|Medium|Reflected/DOM-based XSS, cache poisoning, SSRF| $500-$1,000|\n|High|Stored XSS, local privilege escalation, full authentication bypass| $750-$1,500|\n|Critical|SQL injection, remote code execution|$2,500-$25,000+*|\n*: Bounty will vary widely based on severity, likelihood, and impact.\n\n\n## Scope\n\nThe current scope is limited to the domains and applications listed below. No authorization is given to test any other video game titles, web applications, mobile applications, or desktop applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program. For more information about testing video game titles and other particular applications, please see our statement below regarding our private program.\n\n## Responsible Disclosure and Guidelines\n\nFor your submission to qualify for a bounty, you must:\n\n- Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program\n- Be the first to submit this particular vulnerability\n- Not disclose or discuss the vulnerability outside of this program before or after submitting it\n\n## Eligibility\n\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty. \n\nThe following attributes are expected in a valid submission:\n\n- The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n- Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it\n- What is the potential impact of the bug?\n- How could a malicious user potentially benefit from this issue?\n- For reports on the domain 'support.rockstargames.com', if you must make test posts in the forums, you must include \"test\" in the title. Failure to do so may result in your tests being deleted and your report marked \"Ineligible for Bounty\"\n\n## Exclusions\n\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n\n- Attacks involving physical access to a user's device, Rockstar property or data centers\n- Social engineering of users, Rockstar staff or contractors\n- Denial-of-service attacks\n- Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n- Results from automated tools without any manual confirmation\n- Bugs affecting 3rd party sites that consume data from Social Club\n- Any similar action that interferes with a user's privacy, security or experience\n\nThe following sorts of technical issues are also excluded:\n\n• Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n• SSL/TLS configuration issues, such as: Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n• Strict transport security (HSTP/HSTS) is not enforced\n• Lack of HTTPOnly or secure flag on non-session cookies\n• CSRF token verification missing from pages (unless you can do something impactful with the request)\n• Autocomplete enabled\n• Banner disclosures\n• Session timeout/expiration issues\n• Window.opener issues\n• Clickjacking\n• Invalid or stale employee credential dumps - we already monitor haveibeenpwned.com and other sources for dumps of this nature\n• Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n• Text / content injection\n• Email spoofing directly or as it ties to any of our contact forms\n• Rate-limiting, brute-forcing, and/or credential stuffing on endpoints\n• Generic error messages\n• Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)\n• Attacks that only work against yourself (e.g. host header injection, self-XSS, control-character injection)\n• Account-age issues on support.rockstargames.com\n• Issues regarding user-driven configurations of third-party authentication systems (e.g. 2FA not applying to such logins despite our notice here)\n• Recently released zero day vulnerabilities. Please give us time to patch.\n\nFinally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. **Recommendations for new controls or technologies are welcome, but they will be marked as Ineligible For Bounty unless they are accompanied by a valid exploit.** Thank you!\n\n***\n## New Opportunity: Private In-Game Bug Bounty Program\n\nIn order to help ensure the best quality experience for our players, we are working with the HackerOne community of security researchers to help us identify potential vulnerabilities in our games and non-web applications that have previously been out-of-scope. We will be accepting such reports through our private bounty program only; not on the public program you are currently visiting. \n\nBefore participating, please take careful note of the following rules. If your research does not follow these rules we cannot verify your report and your work will not be eligible for payment:\n\nThe privacy, security and experience of our users are of the utmost importance. **Under no circumstances may any of your testing negatively affect our users in any way**\n\n- Bans received while testing for issues will not be reversed\n- You may only use your own account(s) for testing\n- Reports with no security impact will be closed\n- Please do not report the following types of issues through this program:\n  - General game bugs\n  - Glitches (e.g. car duplication, wall hacks, etc.). If your issue can only be performed solely on a controller, it's probably a glitch\n  - Specific cheaters, mods, or mod developers, nor does this program apply to links to cheating forums, discords, social media handles, or any other references to known cheat / modding resources \n\nThe scope of the in-game bounty is currently limited to:\n\n- Grand Theft Auto V and Grand Theft Auto Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 and Red Dead Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 Companion App\n- iFruit Mobile App\n\nIn addition to the in-game bounty, we are still accepting reports for the targeted Incorrect Ban Bounty campaign, described in more detail further below.\n\nIn order to participate in either the in-game bounty or in the Targeted Bounty: GTA Online and Red Dead Online - Incorrect Ban Bounty campaign, please submit our [enrollment form](https://forms.office.com/r/7737UKLECX) and await an invitation to our private bounty program. **We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.**\n\n---------------\nTargeted Opportunity: GTA Online and Red Dead Online - Incorrect Ban Bounty\n---------------\nWe occasionally receive support tickets from people who have been suspended for cheating in Grand Theft Auto Online or Red Dead Online, denying that any cheating took place and claiming a “false-positive”. We take these claims seriously and investigate them thoroughly. However, we have yet to find any evidence to support these claims.\n\nWe are offering a **$10,000 bounty** for any researcher who can successfully identify a reproducible incorrect ban in GTA Online or Red Dead Online. The types of activities that people have claimed (but we do not believe) to have caused bans include: using legitimate visual overlays (e.g. FPS) or audio chat integrations, other players spamming the in-game reporting system and having cash/rank forced on them by modders, but please do not limit yourselves to investigating these methods.\n\nOur focus is on continuing to ensure that our anti-cheat system does not ban anyone who is playing the game normally and consistently with our terms of service. Any reports that are inconsistent with the spirit of what we are focused on will be ineligible for a bounty and closed. Furthermore, no complaints or commentary about existing bans will be reviewed. Note that bans incurred as a result of violating our terms of service will not be reversed. However, if anybody were to successfully illustrate a reproducible inappropriate ban, any banned test accounts would of course be restored.\n\nAs stated above, in order to participate please submit our enrollment form and await an invitation to our private bounty program. We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-10-01T20:50:10.704Z"},{"id":3658556,"new_policy":"## Statement\n\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n# Rewards\n\nOur minimum bounty for successful vulnerability submissions is $150. Depending on the severity and complexity of the identified potential vulnerability, higher bounties may be paid out at our discretion.\n\n## Scope\n\nThe current scope is limited to the domains and applications listed below. No authorization is given to test any other video game titles, web applications, mobile applications, or desktop applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program. For more information about testing video game titles and other particular applications, please see our statement below regarding our private program.\n\n## Responsible Disclosure and Guidelines\n\nFor your submission to qualify for a bounty, you must:\n\n- Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program\n- Be the first to submit this particular vulnerability\n- Not disclose or discuss the vulnerability outside of this program before or after submitting it\n\n## Eligibility\n\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty. \n\nThe following attributes are expected in a valid submission:\n\n- The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n- Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it\n- What is the potential impact of the bug?\n- How could a malicious user potentially benefit from this issue?\n- For reports on the domain 'support.rockstargames.com', if you must make test posts in the forums, you must include \"test\" in the title. Failure to do so may result in your tests being deleted and your report marked \"Ineligible for Bounty\"\n\n## Exclusions\n\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n\n- Attacks involving physical access to a user's device, Rockstar property or data centers\n- Social engineering of users, Rockstar staff or contractors\n- Denial-of-service attacks\n- Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n- Results from automated tools without any manual confirmation\n- Bugs affecting 3rd party sites that consume data from Social Club\n- Any similar action that interferes with a user's privacy, security or experience\n\nThe following sorts of technical issues are also excluded:\n\n• Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n• SSL/TLS configuration issues, such as: Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n• Strict transport security (HSTP/HSTS) is not enforced\n• Lack of HTTPOnly or secure flag on non-session cookies\n• CSRF token verification missing from pages (unless you can do something impactful with the request)\n• Autocomplete enabled\n• Banner disclosures\n• Session timeout/expiration issues\n• Window.opener issues\n• Clickjacking\n• Invalid or stale employee credential dumps - we already monitor haveibeenpwned.com and other sources for dumps of this nature\n• Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n• Text / content injection\n• Email spoofing directly or as it ties to any of our contact forms\n• Rate-limiting, brute-forcing, and/or credential stuffing on endpoints\n• Generic error messages\n• Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)\n• Attacks that only work against yourself (e.g. host header injection, self-XSS, control-character injection)\n• Account-age issues on support.rockstargames.com\n• Issues regarding user-driven configurations of third-party authentication systems (e.g. 2FA not applying to such logins despite our notice here)\n• Recently released zero day vulnerabilities. Please give us time to patch.\n\nFinally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. **Recommendations for new controls or technologies are welcome, but they will be marked as Ineligible For Bounty unless they are accompanied by a valid exploit.** Thank you!\n\n***\n## New Opportunity: Private In-Game Bug Bounty Program\n\nIn order to help ensure the best quality experience for our players, we are working with the HackerOne community of security researchers to help us identify potential vulnerabilities in our games and non-web applications that have previously been out-of-scope. We will be accepting such reports through our private bounty program only; not on the public program you are currently visiting. \n\nBefore participating, please take careful note of the following rules. If your research does not follow these rules we cannot verify your report and your work will not be eligible for payment:\n\nThe privacy, security and experience of our users are of the utmost importance. **Under no circumstances may any of your testing negatively affect our users in any way**\n\n- Bans received while testing for issues will not be reversed\n- You may only use your own account(s) for testing\n- Reports with no security impact will be closed\n- Please do not report the following types of issues through this program:\n  - General game bugs\n  - Glitches (e.g. car duplication, wall hacks, etc.). If your issue can only be performed solely on a controller, it's probably a glitch\n  - Specific cheaters, mods, or mod developers, nor does this program apply to links to cheating forums, discords, social media handles, or any other references to known cheat / modding resources \n\nThe scope of the in-game bounty is currently limited to:\n\n- Grand Theft Auto V and Grand Theft Auto Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 and Red Dead Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 Companion App\n- iFruit Mobile App\n\nIn addition to the in-game bounty, we are still accepting reports for the targeted Incorrect Ban Bounty campaign, described in more detail further below.\n\nIn order to participate in either the in-game bounty or in the Targeted Bounty: GTA Online and Red Dead Online - Incorrect Ban Bounty campaign, please submit our [enrollment form](https://forms.office.com/r/7737UKLECX) and await an invitation to our private bounty program. **We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.**\n\n---------------\nTargeted Opportunity: GTA Online and Red Dead Online - Incorrect Ban Bounty\n---------------\nWe occasionally receive support tickets from people who have been suspended for cheating in Grand Theft Auto Online or Red Dead Online, denying that any cheating took place and claiming a “false-positive”. We take these claims seriously and investigate them thoroughly. However, we have yet to find any evidence to support these claims.\n\nWe are offering a **$10,000 bounty** for any researcher who can successfully identify a reproducible incorrect ban in GTA Online or Red Dead Online. The types of activities that people have claimed (but we do not believe) to have caused bans include: using legitimate visual overlays (e.g. FPS) or audio chat integrations, other players spamming the in-game reporting system and having cash/rank forced on them by modders, but please do not limit yourselves to investigating these methods.\n\nOur focus is on continuing to ensure that our anti-cheat system does not ban anyone who is playing the game normally and consistently with our terms of service. Any reports that are inconsistent with the spirit of what we are focused on will be ineligible for a bounty and closed. Furthermore, no complaints or commentary about existing bans will be reviewed. Note that bans incurred as a result of violating our terms of service will not be reversed. However, if anybody were to successfully illustrate a reproducible inappropriate ban, any banned test accounts would of course be restored.\n\nAs stated above, in order to participate please submit our enrollment form and await an invitation to our private bounty program. We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-20T12:41:39.616Z"},{"id":3658456,"new_policy":"## Statement\n\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n# Rewards\n\nOur minimum bounty for successful vulnerability submissions is $150. Depending on the severity and complexity of the identified potential vulnerability, higher bounties may be paid out at our discretion.\n\n## Scope\n\nThe current scope is limited to the domains and applications listed below. No authorization is given to test any other video game titles, web applications, mobile applications, or desktop applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program. For more information about testing video game titles and other particular applications, please see our statement below regarding our private program.\n\n## Responsible Disclosure and Guidelines\n\nFor your submission to qualify for a bounty, you must:\n\n- Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program\n- Be the first to submit this particular vulnerability\n- Not disclose or discuss the vulnerability outside of this program before or after submitting it\n\n## Eligibility\n\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty. \n\nThe following attributes are expected in a valid submission:\n\n- The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n- Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it\n- What is the potential impact of the bug?\n- How could a malicious user potentially benefit from this issue?\n- For reports on the domain 'support.rockstargames.com', if you must make test posts in the forums, you must include \"test\" in the title. Failure to do so may result in your tests being deleted and your report marked \"Ineligible for Bounty\"\n\n## Exclusions\n\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n\n- Attacks involving physical access to a user's device, Rockstar property or data centers\n- Social engineering of users, Rockstar staff or contractors\n- Denial-of-service attacks\n- Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n- Results from automated tools without any manual confirmation\n- Bugs affecting 3rd party sites that consume data from Social Club\n- Any similar action that interferes with a user's privacy, security or experience\n\nThe following sorts of technical issues are also excluded:\n\n• Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n• SSL/TLS configuration issues, such as: Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n• Strict transport security (HSTP/HSTS) is not enforced\n• Lack of HTTPOnly or secure flag on non-session cookies\n• CSRF token verification missing from pages (unless you can do something impactful with the request)\n• Autocomplete enabled\n• Banner disclosures\n• Session timeout/expiration issues\n• Window.opener issues\n• Clickjacking\n• Invalid or stale employee credential dumps - we already monitor haveibeenpwned.com and other sources for dumps of this nature\n• Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n• Text / content injection\n• Email spoofing directly or as it ties to any of our contact forms\n• Rate-limiting, brute-forcing, and/or password stuffing on endpoints\n• Generic error messages\n• Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)\n• Attacks that only work against yourself (e.g. host header injection, self-XSS, control-character injection)\n• Account-age issues on support.rockstargames.com\n• Issues regarding user-driven configurations of third-party authentication systems (e.g. 2FA not applying to such logins despite our notice here)\n• Recently released zero day vulnerabilities. Please give us time to patch.\n\nFinally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. **Recommendations for new controls or technologies are welcome, but they will be marked as Ineligible For Bounty unless they are accompanied by a valid exploit.** Thank you!\n\n***\n## New Opportunity: Private In-Game Bug Bounty Program\n\nIn order to help ensure the best quality experience for our players, we are working with the HackerOne community of security researchers to help us identify potential vulnerabilities in our games and non-web applications that have previously been out-of-scope. We will be accepting such reports through our private bounty program only; not on the public program you are currently visiting. \n\nBefore participating, please take careful note of the following rules. If your research does not follow these rules we cannot verify your report and your work will not be eligible for payment:\n\nThe privacy, security and experience of our users are of the utmost importance. **Under no circumstances may any of your testing negatively affect our users in any way**\n\n- Bans received while testing for issues will not be reversed\n- You may only use your own account(s) for testing\n- Reports with no security impact will be closed\n- Please do not report the following types of issues through this program:\n  - General game bugs\n  - Glitches (e.g. car duplication, wall hacks, etc.). If your issue can only be performed solely on a controller, it's probably a glitch\n  - Specific cheaters, mods, or mod developers, nor does this program apply to links to cheating forums, discords, social media handles, or any other references to known cheat / modding resources \n\nThe scope of the in-game bounty is currently limited to:\n\n- Grand Theft Auto V and Grand Theft Auto Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 and Red Dead Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 Companion App\n- iFruit Mobile App\n\nIn addition to the in-game bounty, we are still accepting reports for the targeted Incorrect Ban Bounty campaign, described in more detail further below.\n\nIn order to participate in either the in-game bounty or in the Targeted Bounty: GTA Online and Red Dead Online - Incorrect Ban Bounty campaign, please submit our [enrollment form](https://forms.office.com/r/7737UKLECX) and await an invitation to our private bounty program. **We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.**\n\n---------------\nTargeted Opportunity: GTA Online and Red Dead Online - Incorrect Ban Bounty\n---------------\nWe occasionally receive support tickets from people who have been suspended for cheating in Grand Theft Auto Online or Red Dead Online, denying that any cheating took place and claiming a “false-positive”. We take these claims seriously and investigate them thoroughly. However, we have yet to find any evidence to support these claims.\n\nWe are offering a **$10,000 bounty** for any researcher who can successfully identify a reproducible incorrect ban in GTA Online or Red Dead Online. The types of activities that people have claimed (but we do not believe) to have caused bans include: using legitimate visual overlays (e.g. FPS) or audio chat integrations, other players spamming the in-game reporting system and having cash/rank forced on them by modders, but please do not limit yourselves to investigating these methods.\n\nOur focus is on continuing to ensure that our anti-cheat system does not ban anyone who is playing the game normally and consistently with our terms of service. Any reports that are inconsistent with the spirit of what we are focused on will be ineligible for a bounty and closed. Furthermore, no complaints or commentary about existing bans will be reviewed. Note that bans incurred as a result of violating our terms of service will not be reversed. However, if anybody were to successfully illustrate a reproducible inappropriate ban, any banned test accounts would of course be restored.\n\nAs stated above, in order to participate please submit our enrollment form and await an invitation to our private bounty program. We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-17T21:03:12.905Z"},{"id":3657901,"new_policy":"## Statement\n\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n# Rewards\n\nOur minimum bounty for successful vulnerability submissions is $150. Depending on the severity and complexity of the identified potential vulnerability, higher bounties may be paid out at our discretion.\n\n## Scope\n\nThe current scope is limited to the domains and applications listed below. No authorization is given to test any other video game titles, web applications, mobile applications, or desktop applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program. For more information about testing video game titles and other particular applications, please see our statement below regarding our private program.\n\n## Responsible Disclosure and Guidelines\n\nFor your submission to qualify for a bounty, you must:\n\n- Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program\n- Be the first to submit this particular vulnerability\n- Not disclose or discuss the vulnerability outside of this program before or after submitting it\n\n## Eligibility\n\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty. \n\nThe following attributes are expected in a valid submission:\n\n- The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n- Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it\n- What is the potential impact of the bug?\n- How could a malicious user potentially benefit from this issue?\n- For reports on the domain 'support.rockstargames.com', if you must make test posts in the forums, you must include \"test\" in the title. Failure to do so may result in your tests being deleted and your report marked \"Ineligible for Bounty\"\n\n## Exclusions\n\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n\n- Attacks involving physical access to a user's device, Rockstar property or data centers\n- Social engineering of users, Rockstar staff or contractors\n- Denial-of-service attacks\n- Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n- Results from automated tools without any manual confirmation\n- Bugs affecting 3rd party sites that consume data from Social Club\n- Any similar action that interferes with a user's privacy, security or experience\n\nThe following sorts of technical issues are also excluded and will be closed as Not Applicable. Additional issue types not listed here may be closed as Informative if they are determined to have no security impact to our employees, systems, or users. Please carefully read any submission confirmation windows that are triggered by your report submission.\n\n* Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n* SSL/TLS configuration issues, such as: Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n* Strict transport security (HSTP/HSTS) is not enforced\n* Lack of HTTPOnly or secure flag on non-session cookies\n* CSRF token verification missing from pages (unless you can do something impactful with the request)\n* Autocomplete enabled\n* Banner disclosures\n* Session timeout/expiration issues\n* Window.opener issues\n* Clickjacking\n* Nickname/gamertag enumeration\n* Invalid or stale employee credential dumps - we already monitor haveibeenpwned.com and other sources for dumps of this nature\n* Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n* Text / content injection\n* Email spoofing directly or as it ties to any of our contact forms\n* Rate-limiting, brute-forcing, and/or password stuffing on endpoints\n* Generic error messages\n* Attacks that only work against yourself (e.g. host header injection, self-XSS, control-character injection)\n* Account-age issues on support.rockstargames.com\n* Issues regarding user-driven configurations of third-party authentication systems (e.g. 2FA not applying to such logins despite our notice here)\n* Recently released zero day vulnerabilities. Please give us time to patch.\n\nFinally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. **Recommendations for new controls or technologies are welcome, but they will be marked as Ineligible For Bounty unless they are accompanied by a valid exploit.** Thank you!\n\n***\n## New Opportunity: Private In-Game Bug Bounty Program\n\nIn order to help ensure the best quality experience for our players, we are working with the HackerOne community of security researchers to help us identify potential vulnerabilities in our games and non-web applications that have previously been out-of-scope. We will be accepting such reports through our private bounty program only; not on the public program you are currently visiting. \n\nBefore participating, please take careful note of the following rules. If your research does not follow these rules we cannot verify your report and your work will not be eligible for payment:\n\nThe privacy, security and experience of our users are of the utmost importance. **Under no circumstances may any of your testing negatively affect our users in any way**\n\n- Bans received while testing for issues will not be reversed\n- You may only use your own account(s) for testing\n- Reports with no security impact will be closed\n- Please do not report the following types of issues through this program:\n  - General game bugs\n  - Glitches (e.g. car duplication, wall hacks, etc.). If your issue can only be performed solely on a controller, it's probably a glitch\n  - Specific cheaters, mods, or mod developers, nor does this program apply to links to cheating forums, discords, social media handles, or any other references to known cheat / modding resources \n\nThe scope of the in-game bounty is currently limited to:\n\n- Grand Theft Auto V and Grand Theft Auto Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 and Red Dead Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 Companion App\n- iFruit Mobile App\n\nIn addition to the in-game bounty, we are still accepting reports for the targeted Incorrect Ban Bounty campaign, described in more detail further below.\n\nIn order to participate in either the in-game bounty or in the Targeted Bounty: GTA Online and Red Dead Online - Incorrect Ban Bounty campaign, please submit our [enrollment form](https://forms.office.com/r/7737UKLECX) and await an invitation to our private bounty program. **We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.**\n\n---------------\nTargeted Opportunity: GTA Online and Red Dead Online - Incorrect Ban Bounty\n---------------\nWe occasionally receive support tickets from people who have been suspended for cheating in Grand Theft Auto Online or Red Dead Online, denying that any cheating took place and claiming a “false-positive”. We take these claims seriously and investigate them thoroughly. However, we have yet to find any evidence to support these claims.\n\nWe are offering a **$10,000 bounty** for any researcher who can successfully identify a reproducible incorrect ban in GTA Online or Red Dead Online. The types of activities that people have claimed (but we do not believe) to have caused bans include: using legitimate visual overlays (e.g. FPS) or audio chat integrations, other players spamming the in-game reporting system and having cash/rank forced on them by modders, but please do not limit yourselves to investigating these methods.\n\nOur focus is on continuing to ensure that our anti-cheat system does not ban anyone who is playing the game normally and consistently with our terms of service. Any reports that are inconsistent with the spirit of what we are focused on will be ineligible for a bounty and closed. Furthermore, no complaints or commentary about existing bans will be reviewed. Note that bans incurred as a result of violating our terms of service will not be reversed. However, if anybody were to successfully illustrate a reproducible inappropriate ban, any banned test accounts would of course be restored.\n\nAs stated above, in order to participate please submit our enrollment form and await an invitation to our private bounty program. We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-03T20:32:10.863Z"},{"id":3654630,"new_policy":"## Statement\n\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n# Rewards\n\nOur minimum bounty for successful vulnerability submissions is $150. Depending on the severity and complexity of the identified potential vulnerability, higher bounties may be paid out at our discretion.\n\n## Scope\n\nThe current scope is limited to the domains and applications listed below. No authorization is given to test any other video game titles, web applications, mobile applications, or desktop applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program. For more information about testing video game titles and other particular applications, please see our statement below regarding our private program.\n\n## Responsible Disclosure and Guidelines\n\nFor your submission to qualify for a bounty, you must:\n\n- Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program\n- Be the first to submit this particular vulnerability\n- Not disclose or discuss the vulnerability outside of this program before or after submitting it\n\n## Eligibility\n\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty. \n\nThe following attributes are expected in a valid submission:\n\n- The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n- Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it\n- What is the potential impact of the bug?\n- How could a malicious user potentially benefit from this issue?\n- For reports on the domain 'support.rockstargames.com', if you must make test posts in the forums, you must include \"test\" in the title. Failure to do so may result in your tests being deleted and your report marked \"Ineligible for Bounty\"\n\n## Exclusions\n\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n\n- Attacks involving physical access to a user's device, Rockstar property or data centers\n- Social engineering of users, Rockstar staff or contractors\n- Denial-of-service attacks\n- Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n- Results from automated tools without any manual confirmation\n- Bugs affecting 3rd party sites that consume data from Social Club\n- Any similar action that interferes with a user's privacy, security or experience\n\nAdditionally, the following sorts of technical issues are also excluded:\n\n- Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n- SSL/TLS configuration issues, such as: Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n- Strict transport security (HSTP/HSTS) is not enforced\n- Lack of HTTPOnly or secure flag on non-session cookies\n- CSRF token verification missing from pages (unless you can do something impactful with the request)\n- Autocomplete enabled\n- Banner disclosures\n- Session timeout\n- Window.opener issues\n- Clickjacking\n- Invalid or stale employee credential dumps - we already monitor haveibeenpwned.com and other sources for dumps of this nature\n- Nickname/gamertag enumeration\n- Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n- SSO /auth/Home/SetCookie?token query string information disclosure (Unless you can demonstrate a compelling way to exploit this to hijack a user's account or bypass authentication)\n- Text / content injection\n- Email spoofing directly or as it ties to any of our contact forms\n- Insecure crossdomain.xml policy on rockstargames.com\n- DNSSEC configuration\n- Ability to add hyperlinks to player feed, friend requests, etc.\n- Rate-limiting on endpoints\n- Password stuffing attacks, in general\n- Flash vulnerabilities, in general\n- Generic error messages\n- Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)\n- Control-character injection (unless you can do something impactful against users other than yourself)\n- Attacks that only work against yourself (e.g. host header injection, self-XSS)\n- Account-age issues on support.rockstargames.com\n- Issues regarding user-driven configurations of third-party authentication systems (e.g. 2FA not applying to such logins despite our notice [here](https://support.rockstargames.com/articles/360000031907/Linked-Accounts-and-2-Step-Verification))\n- Recently released zero day vulnerabilities. Please give us time to patch.\n\nFinally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. **Recommendations for new controls or technologies are welcome, but they will be marked as Ineligible For Bounty unless they are accompanied by a valid exploit.** Thank you!\n\n***\n## New Opportunity: Private In-Game Bug Bounty Program\n\nIn order to help ensure the best quality experience for our players, we are working with the HackerOne community of security researchers to help us identify potential vulnerabilities in our games and non-web applications that have previously been out-of-scope. We will be accepting such reports through our private bounty program only; not on the public program you are currently visiting. \n\nBefore participating, please take careful note of the following rules. If your research does not follow these rules we cannot verify your report and your work will not be eligible for payment:\n\nThe privacy, security and experience of our users are of the utmost importance. **Under no circumstances may any of your testing negatively affect our users in any way**\n\n- Bans received while testing for issues will not be reversed\n- You may only use your own account(s) for testing\n- Reports with no security impact will be closed\n- Please do not report the following types of issues through this program:\n  - General game bugs\n  - Glitches (e.g. car duplication, wall hacks, etc.). If your issue can only be performed solely on a controller, it's probably a glitch\n  - Specific cheaters, mods, or mod developers, nor does this program apply to links to cheating forums, discords, social media handles, or any other references to known cheat / modding resources \n\nThe scope of the in-game bounty is currently limited to:\n\n- Grand Theft Auto V and Grand Theft Auto Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 and Red Dead Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 Companion App\n- iFruit Mobile App\n\nIn addition to the in-game bounty, we are still accepting reports for the targeted Incorrect Ban Bounty campaign, described in more detail further below.\n\nIn order to participate in either the in-game bounty or in the Targeted Bounty: GTA Online and Red Dead Online - Incorrect Ban Bounty campaign, please submit our [enrollment form](https://forms.office.com/r/7737UKLECX) and await an invitation to our private bounty program. **We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.**\n\n---------------\nTargeted Opportunity: GTA Online and Red Dead Online - Incorrect Ban Bounty\n---------------\nWe occasionally receive support tickets from people who have been suspended for cheating in Grand Theft Auto Online or Red Dead Online, denying that any cheating took place and claiming a “false-positive”. We take these claims seriously and investigate them thoroughly. However, we have yet to find any evidence to support these claims.\n\nWe are offering a **$10,000 bounty** for any researcher who can successfully identify a reproducible incorrect ban in GTA Online or Red Dead Online. The types of activities that people have claimed (but we do not believe) to have caused bans include: using legitimate visual overlays (e.g. FPS) or audio chat integrations, other players spamming the in-game reporting system and having cash/rank forced on them by modders, but please do not limit yourselves to investigating these methods.\n\nOur focus is on continuing to ensure that our anti-cheat system does not ban anyone who is playing the game normally and consistently with our terms of service. Any reports that are inconsistent with the spirit of what we are focused on will be ineligible for a bounty and closed. Furthermore, no complaints or commentary about existing bans will be reviewed. Note that bans incurred as a result of violating our terms of service will not be reversed. However, if anybody were to successfully illustrate a reproducible inappropriate ban, any banned test accounts would of course be restored.\n\nAs stated above, in order to participate please submit our enrollment form and await an invitation to our private bounty program. We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-07-12T19:32:13.570Z"},{"id":3651206,"new_policy":"## Statement\n\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n# Rewards\n\nOur minimum bounty for successful vulnerability submissions is $150. Depending on the severity and complexity of the identified potential vulnerability, higher bounties may be paid out at our discretion.\n\n## Scope\n\nThe current scope is limited to the domains and applications listed below. No authorization is given to test any other video game titles, web applications, mobile applications, or desktop applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program. For more information about testing video game titles and other particular applications, please see our statement below regarding our private program.\n\n## Responsible Disclosure and Guidelines\n\nFor your submission to qualify for a bounty, you must:\n\n- Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program\n- Be the first to submit this particular vulnerability\n- Not disclose or discuss the vulnerability outside of this program before or after submitting it\n\n## Eligibility\n\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty. \n\nThe following attributes are expected in a valid submission:\n\n- The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n- Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it\n- What is the potential impact of the bug?\n- How could a malicious user potentially benefit from this issue?\n- For reports on the domain 'support.rockstargames.com', if you must make test posts in the forums, you must include \"test\" in the title. Failure to do so may result in your tests being deleted and your report marked \"Ineligible for Bounty\"\n\n## Exclusions\n\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n\n- Attacks involving physical access to a user's device, Rockstar property or data centers\n- Social engineering of users, Rockstar staff or contractors\n- Denial-of-service attacks\n- Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n- Results from automated tools without any manual confirmation\n- Bugs affecting 3rd party sites that consume data from Social Club\n- Any similar action that interferes with a user's privacy, security or experience\n\nAdditionally, the following sorts of technical issues are also excluded:\n\n- Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n- SSL/TLS configuration issues, such as: Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n- Strict transport security (HSTP/HSTS) is not enforced\n- Lack of HTTPOnly or secure flag on non-session cookies\n- CSRF token verification missing from pages (unless you can do something impactful with the request)\n- Autocomplete enabled\n- Banner disclosures\n- Session timeout\n- Window.opener issues\n- Clickjacking\n- Nickname/gamertag enumeration\n- Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n- SSO /auth/Home/SetCookie?token query string information disclosure (Unless you can demonstrate a compelling way to exploit this to hijack a user's account or bypass authentication)\n- Text / content injection\n- Email spoofing directly or as it ties to any of our contact forms\n- Insecure crossdomain.xml policy on rockstargames.com\n- DNSSEC configuration\n- Ability to add hyperlinks to player feed, friend requests, etc.\n- Rate-limiting on endpoints\n- Password stuffing attacks, in general\n- Flash vulnerabilities, in general\n- Generic error messages\n- Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)\n- Control-character injection (unless you can do something impactful against users other than yourself)\n- Attacks that only work against yourself (e.g. host header injection, self-XSS)\n- Account-age issues on support.rockstargames.com\n- Issues regarding user-driven configurations of third-party authentication systems (e.g. 2FA not applying to such logins despite our notice [here](https://support.rockstargames.com/articles/360000031907/Linked-Accounts-and-2-Step-Verification))\n- Recently released zero day vulnerabilities. Please give us time to patch.\n\nFinally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. **Recommendations for new controls or technologies are welcome, but they will be marked as Ineligible For Bounty unless they are accompanied by a valid exploit.** Thank you!\n\n***\n## New Opportunity: Private In-Game Bug Bounty Program\n\nIn order to help ensure the best quality experience for our players, we are working with the HackerOne community of security researchers to help us identify potential vulnerabilities in our games and non-web applications that have previously been out-of-scope. We will be accepting such reports through our private bounty program only; not on the public program you are currently visiting. \n\nBefore participating, please take careful note of the following rules. If your research does not follow these rules we cannot verify your report and your work will not be eligible for payment:\n\nThe privacy, security and experience of our users are of the utmost importance. **Under no circumstances may any of your testing negatively affect our users in any way**\n\n- Bans received while testing for issues will not be reversed\n- You may only use your own account(s) for testing\n- Reports with no security impact will be closed\n- Please do not report the following types of issues through this program:\n  - General game bugs\n  - Glitches (e.g. car duplication, wall hacks, etc.). If your issue can only be performed solely on a controller, it's probably a glitch\n  - Specific cheaters, mods, or mod developers, nor does this program apply to links to cheating forums, discords, social media handles, or any other references to known cheat / modding resources \n\nThe scope of the in-game bounty is currently limited to:\n\n- Grand Theft Auto V and Grand Theft Auto Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 and Red Dead Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 Companion App\n- iFruit Mobile App\n\nIn addition to the in-game bounty, we are still accepting reports for the targeted Incorrect Ban Bounty campaign, described in more detail further below.\n\nIn order to participate in either the in-game bounty or in the Targeted Bounty: GTA Online and Red Dead Online - Incorrect Ban Bounty campaign, please submit our [enrollment form](https://forms.office.com/r/7737UKLECX) and await an invitation to our private bounty program. **We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.**\n\n---------------\nTargeted Opportunity: GTA Online and Red Dead Online - Incorrect Ban Bounty\n---------------\nWe occasionally receive support tickets from people who have been suspended for cheating in Grand Theft Auto Online or Red Dead Online, denying that any cheating took place and claiming a “false-positive”. We take these claims seriously and investigate them thoroughly. However, we have yet to find any evidence to support these claims.\n\nWe are offering a **$10,000 bounty** for any researcher who can successfully identify a reproducible incorrect ban in GTA Online or Red Dead Online. The types of activities that people have claimed (but we do not believe) to have caused bans include: using legitimate visual overlays (e.g. FPS) or audio chat integrations, other players spamming the in-game reporting system and having cash/rank forced on them by modders, but please do not limit yourselves to investigating these methods.\n\nOur focus is on continuing to ensure that our anti-cheat system does not ban anyone who is playing the game normally and consistently with our terms of service. Any reports that are inconsistent with the spirit of what we are focused on will be ineligible for a bounty and closed. Furthermore, no complaints or commentary about existing bans will be reviewed. Note that bans incurred as a result of violating our terms of service will not be reversed. However, if anybody were to successfully illustrate a reproducible inappropriate ban, any banned test accounts would of course be restored.\n\nAs stated above, in order to participate please submit our enrollment form and await an invitation to our private bounty program. We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-04-16T14:06:32.345Z"},{"id":3648035,"new_policy":"## Statement\n\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n# Rewards\n\nOur minimum bounty for successful vulnerability submissions is $150. Depending on the severity and complexity of the identified potential vulnerability, higher bounties may be paid out at our discretion.\n\n## Scope\n\nThe current scope is limited to the domains and applications listed below. No authorization is given to test any other video game titles, web applications, mobile applications, or desktop applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program. For more information about testing video game titles and other particular applications, please see our statement below regarding our private program.\n\n## Responsible Disclosure and Guidelines\n\nFor your submission to qualify for a bounty, you must:\n\n- Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program\n- Be the first to submit this particular vulnerability\n- Not disclose or discuss the vulnerability outside of this program before or after submitting it\n\n## Eligibility\n\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty. \n\nThe following attributes are expected in a valid submission:\n\n- The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n- Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it\n- What is the potential impact of the bug?\n- How could a malicious user potentially benefit from this issue?\n- For reports on the domain 'support.rockstargames.com', if you must make test posts in the forums, you must include \"test\" in the title. Failure to do so may result in your tests being deleted and your report marked \"Ineligible for Bounty\"\n\n## Exclusions\n\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n\n- Attacks involving physical access to a user's device, Rockstar property or data centers\n- Social engineering of users, Rockstar staff or contractors\n- Denial-of-service attacks\n- Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n- Results from automated tools without any manual confirmation\n- Bugs affecting 3rd party sites that consume data from Social Club\n- Any similar action that interferes with a user's privacy, security or experience\n\nAdditionally, the following sorts of technical issues are also excluded:\n\n- Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n- SSL/TLS configuration issues, such as: Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n- Strict transport security (HSTP/HSTS) is not enforced\n- Lack of HTTPOnly or secure flag on non-session cookies\n- CSRF token verification missing from pages (unless you can do something impactful with the request)\n- Autocomplete enabled\n- Banner disclosures\n- Session timeout\n- Window.opener issues\n- Clickjacking\n- Nickname/gamertag enumeration\n- Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n- SSO /auth/Home/SetCookie?token query string information disclosure (Unless you can demonstrate a compelling way to exploit this to hijack a user's account or bypass authentication)\n- Text / content injection\n- Email spoofing directly or as it ties to any of our contact forms\n- Insecure crossdomain.xml policy on rockstargames.com\n- DNSSEC configuration\n- Ability to add hyperlinks to player feed, friend requests, etc.\n- Rate-limiting on endpoints\n- Password stuffing attacks, in general\n- Flash vulnerabilities, in general\n- Generic error messages\n- Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)\n- Control-character injection (unless you can do something impactful against users other than yourself)\n- Attacks that only work against yourself (e.g. host header injection, self-XSS)\n- Account-age issues on support.rockstargames.com\n- Issues regarding user-driven configurations of third-party authentication systems (e.g. 2FA not applying to such logins despite our notice [here](https://support.rockstargames.com/articles/360000031907/Linked-Accounts-and-2-Step-Verification))\n- Recently released zero day vulnerabilities. Please give us time to patch.\n\nFinally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. **Recommendations for new controls or technologies are welcome, but they will be marked as Ineligible For Bounty unless they are accompanied by a valid exploit.** Thank you!\n\n***\n## New Opportunity: Private In-Game Bug Bounty Program\n\nIn order to help ensure the best quality experience for our players, we are working with the HackerOne community of security researchers to help us identify potential vulnerabilities in our games and non-web applications that have previously been out-of-scope. We will be accepting such reports through our private bounty program only; not on the public program you are currently visiting. \n\nBefore participating, please take careful note of the following rules. If your research does not follow these rules we cannot verify your report and your work will not be eligible for payment:\n\nThe privacy, security and experience of our users are of the utmost importance. **Under no circumstances may any of your testing negatively affect our users in any way**\n\n- Bans received while testing for issues will not be reversed\n- You may only use your own account(s) for testing\n- Reports with no security impact will be closed\n- Please do not report the following types of issues through this program:\n  - General game bugs\n  - Glitches (e.g. car duplication, wall hacks, etc.). If your issue can only be performed solely on a controller, it's probably a glitch\n  - Specific cheaters, mods, or mod developers, nor does this program apply to links to cheating forums, discords, social media handles, or any other references to known cheat / modding resources \n\nThe scope of the in-game bounty is currently limited to:\n\n- Grand Theft Auto V and Grand Theft Auto Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 and Red Dead Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 Companion App\n- iFruit Mobile App\n\nIn addition to the in-game bounty, we are still accepting reports for the targeted Incorrect Ban Bounty campaign, described in more detail further below.\n\nIn order to participate in either the in-game bounty or in the Targeted Bounty: GTA Online and Red Dead Online - Incorrect Ban Bounty campaign, please submit our [enrollment form](https://docs.google.com/forms/d/e/1FAIpQLSdNLSDWQHxVb1Wtg1HukOOZAiJrv-GAUfav7C8sPSnnG5K00g/viewform?ts=600f19fa\u0026gxids=7628) and await an invitation to our private bounty program. **We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.**\n\n---------------\nTargeted Opportunity: GTA Online and Red Dead Online - Incorrect Ban Bounty\n---------------\nWe occasionally receive support tickets from people who have been suspended for cheating in Grand Theft Auto Online or Red Dead Online, denying that any cheating took place and claiming a “false-positive”. We take these claims seriously and investigate them thoroughly. However, we have yet to find any evidence to support these claims.\n\nWe are offering a **$10,000 bounty** for any researcher who can successfully identify a reproducible incorrect ban in GTA Online or Red Dead Online. The types of activities that people have claimed (but we do not believe) to have caused bans include: using legitimate visual overlays (e.g. FPS) or audio chat integrations, other players spamming the in-game reporting system and having cash/rank forced on them by modders, but please do not limit yourselves to investigating these methods.\n\nOur focus is on continuing to ensure that our anti-cheat system does not ban anyone who is playing the game normally and consistently with our terms of service. Any reports that are inconsistent with the spirit of what we are focused on will be ineligible for a bounty and closed. Furthermore, no complaints or commentary about existing bans will be reviewed. Note that bans incurred as a result of violating our terms of service will not be reversed. However, if anybody were to successfully illustrate a reproducible inappropriate ban, any banned test accounts would of course be restored.\n\nAs stated above, in order to participate please submit our enrollment form and await an invitation to our private bounty program. We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-01-25T20:00:42.612Z"},{"id":3634263,"new_policy":"## Statement\n\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n# Rewards\n\nOur minimum bounty for successful vulnerability submissions is $150. Depending on the severity and complexity of the identified potential vulnerability, higher bounties may be paid out at our discretion.\n\n## Scope\n\nThe current scope is limited to the domains and applications listed below. No authorization is given to test any other video game titles, web applications, mobile applications, or desktop applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program. For more information about testing video game titles and other particular applications, please see our statement below regarding our private program.\n\n## Responsible Disclosure and Guidelines\n\nFor your submission to qualify for a bounty, you must:\n\n- Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program\n- Be the first to submit this particular vulnerability\n- Not disclose or discuss the vulnerability outside of this program before or after submitting it\n\n## Eligibility\n\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty. \n\nThe following attributes are expected in a valid submission:\n\n- The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n- Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it\n- What is the potential impact of the bug?\n- How could a malicious user potentially benefit from this issue?\n- For reports on the domain 'support.rockstargames.com', if you must make test posts in the forums, you must include \"test\" in the title. Failure to do so may result in your tests being deleted and your report marked \"Ineligible for Bounty\"\n\n## Exclusions\n\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n\n- Attacks involving physical access to a user's device, Rockstar property or data centers\n- Social engineering of users, Rockstar staff or contractors\n- Denial-of-service attacks\n- Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n- Results from automated tools without any manual confirmation\n- Bugs affecting 3rd party sites that consume data from Social Club\n- Any similar action that interferes with a user's privacy, security or experience\n\nAdditionally, the following sorts of technical issues are also excluded:\n\n- Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n- SSL/TLS configuration issues, such as: Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n- Strict transport security (HSTP/HSTS) is not enforced\n- Lack of HTTPOnly or secure flag on non-session cookies\n- CSRF token verification missing from pages (unless you can do something impactful with the request)\n- Autocomplete enabled\n- Banner disclosures\n- Session timeout\n- Window.opener issues\n- Clickjacking\n- Nickname/gamertag enumeration\n- Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n- SSO /auth/Home/SetCookie?token query string information disclosure (Unless you can demonstrate a compelling way to exploit this to hijack a user's account or bypass authentication)\n- Text / content injection\n- Email spoofing directly or as it ties to any of our contact forms\n- Insecure crossdomain.xml policy on rockstargames.com\n- DNSSEC configuration\n- Ability to add hyperlinks to player feed, friend requests, etc.\n- Rate-limiting on endpoints\n- Password stuffing attacks, in general\n- Flash vulnerabilities, in general\n- Generic error messages\n- Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)\n- Control-character injection (unless you can do something impactful against users other than yourself)\n- Attacks that only work against yourself (e.g. host header injection, self-XSS)\n- Account-age issues on support.rockstargames.com\n- Issues regarding user-driven configurations of third-party authentication systems (e.g. 2FA not applying to such logins despite our notice [here](https://support.rockstargames.com/articles/360000031907/Linked-Accounts-and-2-Step-Verification))\n- Recently released zero day vulnerabilities. Please give us time to patch.\n\nFinally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. **Recommendations for new controls or technologies are welcome, but they will be marked as Ineligible For Bounty unless they are accompanied by a valid exploit.** Thank you!\n\n***\n## New Opportunity: Private In-Game Bug Bounty Program\n\nIn order to help ensure the best quality experience for our players, we are working with the HackerOne community of security researchers to help us identify potential vulnerabilities in our games and non-web applications that have previously been out-of-scope. We will be accepting such reports through our private bounty program only; not on the public program you are currently visiting. \n\nBefore participating, please take careful note of the following rules. If your research does not follow these rules we cannot verify your report and your work will not be eligible for payment:\n\nThe privacy, security and experience of our users are of the utmost importance. **Under no circumstances may any of your testing negatively affect our users in any way**\n\n- Bans received while testing for issues will not be reversed\n- You may only use your own account(s) for testing\n- Reports with no security impact will be closed\n- Please do not report the following types of issues through this program:\n  - General game bugs\n  - Glitches (e.g. car duplication, wall hacks, etc.). If your issue can only be performed solely on a controller, it's probably a glitch\n  - Specific cheaters, mods, or mod developers, nor does this program apply to links to cheating forums, discords, social media handles, or any other references to known cheat / modding resources \n\nThe scope of the in-game bounty is currently limited to:\n\n- Grand Theft Auto V and Grand Theft Auto Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 and Red Dead Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 Companion App\n- iFruit Mobile App\n\nIn addition to the in-game bounty, we are still accepting reports for the targeted Incorrect Ban Bounty campaign, described in more detail further below.\n\nIn order to participate in either the in-game bounty or in the Targeted Bounty: GTA Online and Red Dead Online - Incorrect Ban Bounty campaign, please submit our [enrollment form](https://docs.google.com/forms/d/e/1FAIpQLSfU2Wtngvy38YcYBweTt7HjE0ST1t_Slv4QMcn4zk-wpQjosA/viewform) and await an invitation to our private bounty program. **We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.**\n\n---------------\nTargeted Opportunity: GTA Online and Red Dead Online - Incorrect Ban Bounty\n---------------\nWe occasionally receive support tickets from people who have been suspended for cheating in Grand Theft Auto Online or Red Dead Online, denying that any cheating took place and claiming a “false-positive”. We take these claims seriously and investigate them thoroughly. However, we have yet to find any evidence to support these claims.\n\nWe are offering a **$10,000 bounty** for any researcher who can successfully identify a reproducible incorrect ban in GTA Online or Red Dead Online. The types of activities that people have claimed (but we do not believe) to have caused bans include: using legitimate visual overlays (e.g. FPS) or audio chat integrations, other players spamming the in-game reporting system and having cash/rank forced on them by modders, but please do not limit yourselves to investigating these methods.\n\nOur focus is on continuing to ensure that our anti-cheat system does not ban anyone who is playing the game normally and consistently with our terms of service. Any reports that are inconsistent with the spirit of what we are focused on will be ineligible for a bounty and closed. Furthermore, no complaints or commentary about existing bans will be reviewed. Note that bans incurred as a result of violating our terms of service will not be reversed. However, if anybody were to successfully illustrate a reproducible inappropriate ban, any banned test accounts would of course be restored.\n\nAs stated above, in order to participate please submit our enrollment form and await an invitation to our private bounty program. We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-03-30T13:31:33.124Z"},{"id":3632833,"new_policy":"## Statement\n\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n# Rewards\n\nOur minimum bounty for successful vulnerability submissions is $150. Depending on the severity and complexity of the identified potential vulnerability, higher bounties may be paid out at our discretion.\n\n## Scope\n\nThe current scope is limited to the domains and applications listed below. No authorization is given to test any other video game titles, web applications, mobile applications, or desktop applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program. For more information about testing video game titles and other particular applications, please see our statement below regarding our private program.\n\n## Responsible Disclosure and Guidelines\n\nFor your submission to qualify for a bounty, you must:\n\n- Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program\n- Be the first to submit this particular vulnerability\n- Not disclose or discuss the vulnerability outside of this program before or after submitting it\n\n## Eligibility\n\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty. \n\nThe following attributes are expected in a valid submission:\n\n- The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n- Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it\n- What is the potential impact of the bug?\n- How could a malicious user potentially benefit from this issue?\n- For reports on the domain 'support.rockstargames.com', if you must make test posts in the forums, you must include \"test\" in the title. Failure to do so may result in your tests being deleted and your report marked \"Ineligible for Bounty\"\n\n## Exclusions\n\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n\n- Attacks involving physical access to a user's device, Rockstar property or data centers\n- Social engineering of users, Rockstar staff or contractors\n- Denial-of-service attacks\n- Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n- Results from automated tools without any manual confirmation\n- Bugs affecting 3rd party sites that consume data from Social Club\n- Any similar action that interferes with a user's privacy, security or experience\n\nAdditionally, the following sorts of technical issues are also excluded:\n\n- Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n- SSL/TLS configuration issues, such as: Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n- Strict transport security (HSTP/HSTS) is not enforced\n- Lack of HTTPOnly or secure flag on non-session cookies\n- CSRF token verification missing from pages (unless you can do something impactful with the request)\n- Autocomplete enabled\n- Banner disclosures\n- Session timeout\n- Window.opener issues\n- Clickjacking\n- Nickname/gamertag enumeration\n- Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n- SSO /auth/Home/SetCookie?token query string information disclosure (Unless you can demonstrate a compelling way to exploit this to hijack a user's account or bypass authentication)\n- Text / content injection\n- Email spoofing directly or as it ties to any of our contact forms\n- Insecure crossdomain.xml policy on rockstargames.com\n- DNSSEC configuration\n- Ability to add hyperlinks to player feed, friend requests, etc.\n- Rate-limiting on endpoints\n- Password stuffing attacks, in general\n- Flash vulnerabilities, in general\n- Generic error messages\n- Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)\n- Control-character injection (unless you can do something impactful against users other than yourself)\n- Attacks that only work against yourself (e.g. host header injection, self-XSS)\n- Account-age issues on support.rockstargames.com\n- Recently released zero day vulnerabilities. Please give us time to patch.\n\nFinally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. **Recommendations for new controls or technologies are welcome, but they will be marked as Ineligible For Bounty unless they are accompanied by a valid exploit.** Thank you!\n\n***\n## New Opportunity: Private In-Game Bug Bounty Program\n\nIn order to help ensure the best quality experience for our players, we are working with the HackerOne community of security researchers to help us identify potential vulnerabilities in our games and non-web applications that have previously been out-of-scope. We will be accepting such reports through our private bounty program only; not on the public program you are currently visiting. \n\nBefore participating, please take careful note of the following rules. If your research does not follow these rules we cannot verify your report and your work will not be eligible for payment:\n\nThe privacy, security and experience of our users are of the utmost importance. **Under no circumstances may any of your testing negatively affect our users in any way**\n\n- Bans received while testing for issues will not be reversed\n- You may only use your own account(s) for testing\n- Reports with no security impact will be closed\n- Please do not report the following types of issues through this program:\n  - General game bugs\n  - Glitches (e.g. car duplication, wall hacks, etc.). If your issue can only be performed solely on a controller, it's probably a glitch\n  - Specific cheaters, mods, or mod developers, nor does this program apply to links to cheating forums, discords, social media handles, or any other references to known cheat / modding resources \n\nThe scope of the in-game bounty is currently limited to:\n\n- Grand Theft Auto V and Grand Theft Auto Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 and Red Dead Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 Companion App\n- iFruit Mobile App\n\nIn addition to the in-game bounty, we are still accepting reports for the targeted Incorrect Ban Bounty campaign, described in more detail further below.\n\nIn order to participate in either the in-game bounty or in the Targeted Bounty: GTA Online and Red Dead Online - Incorrect Ban Bounty campaign, please submit our [enrollment form](https://docs.google.com/forms/d/e/1FAIpQLSfU2Wtngvy38YcYBweTt7HjE0ST1t_Slv4QMcn4zk-wpQjosA/viewform) and await an invitation to our private bounty program. **We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.**\n\n---------------\nTargeted Opportunity: GTA Online and Red Dead Online - Incorrect Ban Bounty\n---------------\nWe occasionally receive support tickets from people who have been suspended for cheating in Grand Theft Auto Online or Red Dead Online, denying that any cheating took place and claiming a “false-positive”. We take these claims seriously and investigate them thoroughly. However, we have yet to find any evidence to support these claims.\n\nWe are offering a **$10,000 bounty** for any researcher who can successfully identify a reproducible incorrect ban in GTA Online or Red Dead Online. The types of activities that people have claimed (but we do not believe) to have caused bans include: using legitimate visual overlays (e.g. FPS) or audio chat integrations, other players spamming the in-game reporting system and having cash/rank forced on them by modders, but please do not limit yourselves to investigating these methods.\n\nOur focus is on continuing to ensure that our anti-cheat system does not ban anyone who is playing the game normally and consistently with our terms of service. Any reports that are inconsistent with the spirit of what we are focused on will be ineligible for a bounty and closed. Furthermore, no complaints or commentary about existing bans will be reviewed. Note that bans incurred as a result of violating our terms of service will not be reversed. However, if anybody were to successfully illustrate a reproducible inappropriate ban, any banned test accounts would of course be restored.\n\nAs stated above, in order to participate please submit our enrollment form and await an invitation to our private bounty program. We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-03-12T20:56:12.560Z"},{"id":3631827,"new_policy":"## Statement\n\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n# Rewards\n\nOur minimum bounty for successful vulnerability submissions is $150. Depending on the severity and complexity of the identified potential vulnerability, higher bounties may be paid out at our discretion.\n\n## Scope\n\nThe current scope is limited to the domains and applications listed below. No authorization is given to test any other video game titles, web applications, mobile applications, or desktop applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program. For more information about testing video game titles and other particular applications, please see our statement below regarding our private program.\n\n## Responsible Disclosure and Guidelines\n\nFor your submission to qualify for a bounty, you must:\n\n- Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program\n- Be the first to submit this particular vulnerability\n- Not disclose or discuss the vulnerability outside of this program before or after submitting it\n\n## Eligibility\n\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty. \n\nThe following attributes are expected in a valid submission:\n\n- The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n- Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it\n- What is the potential impact of the bug?\n- How could a malicious user potentially benefit from this issue?\n- For reports on the domain 'support.rockstargames.com', if you must make test posts in the forums, you must include \"test\" in the title. Failure to do so may result in your tests being deleted and your report marked \"Ineligible for Bounty\"\n\n## Exclusions\n\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n\n- Attacks involving physical access to a user's device, Rockstar property or data centers\n- Social engineering of users, Rockstar staff or contractors\n- Denial-of-service attacks\n- Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n- Results from automated tools without any manual confirmation\n- Bugs affecting 3rd party sites that consume data from Social Club\n- Any similar action that interferes with a user's privacy, security or experience\n\nAdditionally, the following sorts of technical issues are also excluded:\n\n- Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n- SSL/TLS configuration issues, such as: Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n- Strict transport security (HSTP/HSTS) is not enforced\n- Lack of HTTPOnly or secure flag on non-session cookies\n- CSRF token verification missing from pages (unless you can do something impactful with the request)\n- Autocomplete enabled\n- Banner disclosures\n- Session timeout\n- Window.opener issues\n- Clickjacking\n- Nickname/gamertag enumeration\n- Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n- SSO /auth/Home/SetCookie?token query string information disclosure (Unless you can demonstrate a compelling way to exploit this to hijack a user's account or bypass authentication)\n- Text / content injection\n- Email spoofing directly or as it ties to any of our contact forms\n- Insecure crossdomain.xml policy on rockstargames.com\n- DNSSEC configuration\n- Ability to add hyperlinks to player feed, friend requests, etc.\n- Rate-limiting on endpoints\n- Password stuffing attacks, in general\n- Generic error messages\n- Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)\n- Control-character injection (unless you can do something impactful against users other than yourself)\n- Attacks that only work against yourself (e.g. host header injection, self-XSS)\n- Account-age issues on support.rockstargames.com\n- Recently released zero day vulnerabilities. Please give us time to patch.\n\nFinally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. **Recommendations for new controls or technologies are welcome, but they will be marked as Ineligible For Bounty unless they are accompanied by a valid exploit.** Thank you!\n\n***\n## New Opportunity: Private In-Game Bug Bounty Program\n\nIn order to help ensure the best quality experience for our players, we are working with the HackerOne community of security researchers to help us identify potential vulnerabilities in our games and non-web applications that have previously been out-of-scope. We will be accepting such reports through our private bounty program only; not on the public program you are currently visiting. \n\nBefore participating, please take careful note of the following rules. If your research does not follow these rules we cannot verify your report and your work will not be eligible for payment:\n\nThe privacy, security and experience of our users are of the utmost importance. **Under no circumstances may any of your testing negatively affect our users in any way**\n\n- Bans received while testing for issues will not be reversed\n- You may only use your own account(s) for testing\n- Reports with no security impact will be closed\n- Please do not report the following types of issues through this program:\n  - General game bugs\n  - Glitches (e.g. car duplication, wall hacks, etc.). If your issue can only be performed solely on a controller, it's probably a glitch\n  - Specific cheaters, mods, or mod developers, nor does this program apply to links to cheating forums, discords, social media handles, or any other references to known cheat / modding resources \n\nThe scope of the in-game bounty is currently limited to:\n\n- Grand Theft Auto V and Grand Theft Auto Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 and Red Dead Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 Companion App\n- iFruit Mobile App\n\nIn addition to the in-game bounty, we are still accepting reports for the targeted Incorrect Ban Bounty campaign, described in more detail further below.\n\nIn order to participate in either the in-game bounty or in the Targeted Bounty: GTA Online and Red Dead Online - Incorrect Ban Bounty campaign, please submit our [enrollment form](https://docs.google.com/forms/d/e/1FAIpQLSfU2Wtngvy38YcYBweTt7HjE0ST1t_Slv4QMcn4zk-wpQjosA/viewform) and await an invitation to our private bounty program. **We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.**\n\n---------------\nTargeted Opportunity: GTA Online and Red Dead Online - Incorrect Ban Bounty\n---------------\nWe occasionally receive support tickets from people who have been suspended for cheating in Grand Theft Auto Online or Red Dead Online, denying that any cheating took place and claiming a “false-positive”. We take these claims seriously and investigate them thoroughly. However, we have yet to find any evidence to support these claims.\n\nWe are offering a **$10,000 bounty** for any researcher who can successfully identify a reproducible incorrect ban in GTA Online or Red Dead Online. The types of activities that people have claimed (but we do not believe) to have caused bans include: using legitimate visual overlays (e.g. FPS) or audio chat integrations, other players spamming the in-game reporting system and having cash/rank forced on them by modders, but please do not limit yourselves to investigating these methods.\n\nOur focus is on continuing to ensure that our anti-cheat system does not ban anyone who is playing the game normally and consistently with our terms of service. Any reports that are inconsistent with the spirit of what we are focused on will be ineligible for a bounty and closed. Furthermore, no complaints or commentary about existing bans will be reviewed. Note that bans incurred as a result of violating our terms of service will not be reversed. However, if anybody were to successfully illustrate a reproducible inappropriate ban, any banned test accounts would of course be restored.\n\nAs stated above, in order to participate please submit our enrollment form and await an invitation to our private bounty program. We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-02-28T19:56:19.825Z"},{"id":3631804,"new_policy":"## Statement\n\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n# Rewards\n\nOur minimum bounty for successful vulnerability submissions is $150. Depending on the severity and complexity of the identified potential vulnerability, higher bounties may be paid out at our discretion.\n\n## Scope\n\nThe current scope is limited to the domains and applications listed below. No authorization is given to test any other video game titles, web applications, mobile applications, or desktop applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program. For more information about testing video game titles and other particular applications, please see our statement below regarding our private program.\n\n## Responsible Disclosure and Guidelines\n\nFor your submission to qualify for a bounty, you must:\n\n- Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program\n- Be the first to submit this particular vulnerability\n- Not disclose or discuss the vulnerability outside of this program before or after submitting it\n\n## Eligibility\n\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty. \n\nThe following attributes are expected in a valid submission:\n\n- The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n- Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it\n- What is the potential impact of the bug?\n- How could a malicious user potentially benefit from this issue?\n- For reports on the domain 'support.rockstargames.com', if you must make test posts in the forums, you must include \"test\" in the title. Failure to do so may result in your tests being deleted and your report marked \"Ineligible for Bounty\"\n\n## Exclusions\n\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n\n- Attacks involving physical access to a user's device, Rockstar property or data centers\n- Social engineering of users, Rockstar staff or contractors\n- Denial-of-service attacks\n- Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n- Results from automated tools without any manual confirmation\n- Bugs affecting 3rd party sites that consume data from Social Club\n- Any similar action that interferes with a user's privacy, security or experience\n\nAdditionally, the following sorts of technical issues are also excluded:\n\n- Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n- SSL/TLS configuration issues, such as: Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n- Strict transport security (HSTP/HSTS) is not enforced\n- Lack of HTTPOnly or secure flag on non-session cookies\n- CSRF token verification missing from pages (unless you can do something impactful with the request)\n- Autocomplete enabled\n- Banner disclosures\n- Session timeout\n- Window.opener issues\n- Clickjacking\n- Nickname/gamertag enumeration\n- Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n- SSO /auth/Home/SetCookie?token query string information disclosure (Unless you can demonstrate a compelling way to exploit this to hijack a user's account or bypass authentication)\n- Text / content injection\n- Email spoofing directly or as it ties to any of our contact forms\n- Insecure crossdomain.xml policy on rockstargames.com\n- DNSSEC configuration\n- Ability to add hyperlinks to player feed, friend requests, etc.\n- Rate-limiting on endpoints\n- Password stuffing attacks, in general\n- Generic error messages\n- Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)\n- Control-character injection (unless you can do something impactful against users other than yourself)\n- Attacks that only work against yourself (e.g. host header injection, self-XSS)\n- Account-age issues on support.rockstargames.com\n- Recently released zero day vulnerabilities. Please give us time to patch.\n\nFinally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. **Recommendations for new controls or technologies are welcome, but they will be marked as Ineligible For Bounty unless they are accompanied by a valid exploit.** Thank you!\n\n***\n## New Opportunity: Private In-Game Bug Bounty Program\n\nIn order to help ensure the best quality experience for our players, we are working with the HackerOne community of security researchers to help us identify potential vulnerabilities in our games and non-web applications that have previously been out-of-scope. We will be accepting such reports through our private bounty program only; not on the public program you are currently visiting. \n\nBefore participating, please take careful note of the following rules. If your research does not follow these rules we cannot verify your report and your work will not be eligible for payment:\n\nThe privacy, security and experience of our users are of the utmost importance. **Under no circumstances may any of your testing negatively affect our users in any way**\n\n- Bans received while testing for issues will not be reversed\n- You may only use your own account(s) for testing\n- Reports with no security impact will be closed\n- Please do not report the following types of issues through this program:\n  - General game bugs\n  - Glitches (e.g. car duplication, wall hacks, etc.). If your issue can only be performed solely on a controller, it's probably a glitch\n  - Specific cheaters, mods, or mod developers, nor does this program apply to links to cheating forums, discords, social media handles, or any other references to known cheat / modding resources \n\nThe scope of the in-game bounty is currently limited to:\n\n- Grand Theft Auto V and Grand Theft Auto Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 and Red Dead Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 Companion App\n- iFruit Mobile App\n\nIn addition to the in-game bounty, we are still accepting reports for the targeted Incorrect Ban Bounty campaign, described in more detail further below.\n\nIn order to participate in either the in-game bounty or in the Targeted Bounty: GTA Online and Red Dead Online - Incorrect Ban Bounty campaign, please submit our [enrollment form](https://docs.google.com/forms/d/e/1FAIpQLSfU2Wtngvy38YcYBweTt7HjE0ST1t_Slv4QMcn4zk-wpQjosA/viewform) and await an invitation to our private bounty program. **We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.**\n\n---------------\nTargeted Opportunity: GTA Online and Red Dead Online - Incorrect Ban Bounty\n---------------\nWe occasionally receive support tickets from people who have been suspended for cheating in GTA Online or Red Dead Online, denying that any cheating took place and claiming a “false-positive”. We take these claims seriously and investigate them thoroughly. However, we have yet to find any evidence to support these claims.\n\nWe are offering a **$10,000 bounty** for any researcher who can successfully identify a reproducible incorrect ban in GTA Online or Red Dead Online. The types of activities that people have claimed (but we do not believe) to have caused bans include: using legitimate visual overlays (e.g. FPS) or audio chat integrations, other players spamming the in-game reporting system and having cash/rank forced on them by modders, but please do not limit yourselves to investigating these methods.\n\nOur focus is on continuing to ensure that our anti-cheat system does not ban anyone who is playing the game normally and consistently with our terms of service. Any reports that are inconsistent with the spirit of what we are focused on will be ineligible for a bounty and closed. Furthermore, no complaints or commentary about existing bans will be reviewed. Note that bans incurred as a result of violating our terms of service will not be reversed. However, if anybody were to successfully illustrate a reproducible inappropriate ban, any banned test accounts would of course be restored.\n\nAs stated above, in order to participate please submit our enrollment form and await an invitation to our private bounty program. We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-02-28T15:18:48.179Z"},{"id":3622934,"new_policy":"## Statement\n\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.\n\n# Rewards\n\nOur minimum bounty for successful vulnerability submissions is $150. Depending on the severity and complexity of the identified potential vulnerability, higher bounties may be paid out at our discretion.\n\n## Scope\n\nThe current scope is limited to the domains and applications listed below. No authorization is given to test any other video game titles, web applications, mobile applications, or desktop applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program. For more information about testing video game titles and other particular applications, please see our statement below regarding our private program.\n\n## Responsible Disclosure and Guidelines\n\nFor your submission to qualify for a bounty, you must:\n\n- Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program\n- Be the first to submit this particular vulnerability\n- Not disclose or discuss the vulnerability outside of this program before or after submitting it\n\n## Eligibility\n\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty. \n\nThe following attributes are expected in a valid submission:\n\n- The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n- Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it\n- What is the potential impact of the bug?\n- How could a malicious user potentially benefit from this issue?\n- For reports on the domain 'support.rockstargames.com', if you must make test posts in the forums, you must include \"test\" in the title. Failure to do so may result in your tests being deleted and your report marked \"Ineligible for Bounty\"\n\n## Exclusions\n\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n\n- Attacks involving physical access to a user's device, Rockstar property or data centers\n- Social engineering of users, Rockstar staff or contractors\n- Denial-of-service attacks\n- Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n- Results from automated tools without any manual confirmation\n- Bugs affecting 3rd party sites that consume data from Social Club\n- Any similar action that interferes with a user's privacy, security or experience\n\nAdditionally, the following sorts of technical issues are also excluded:\n\n- Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n- SSL/TLS configuration issues, such as: Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n- Strict transport security (HSTP/HSTS) is not enforced\n- Lack of HTTPOnly or secure flag on non-session cookies\n- CSRF token verification missing from pages (unless you can do something impactful with the request)\n- Autocomplete enabled\n- Banner disclosures\n- Session timeout\n- Window.opener issues\n- Clickjacking\n- Nickname/gamertag enumeration\n- Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n- SSO /auth/Home/SetCookie?token query string information disclosure (Unless you can demonstrate a compelling way to exploit this to hijack a user's account or bypass authentication)\n- Text / content injection\n- Email spoofing directly or as it ties to any of our contact forms\n- Insecure crossdomain.xml policy on rockstargames.com\n- DNSSEC configuration\n- Ability to add hyperlinks to player feed, friend requests, etc.\n- Rate-limiting on endpoints\n- Password stuffing attacks, in general\n- Generic error messages\n- Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)\n- Control-character injection (unless you can do something impactful against users other than yourself)\n- Attacks that only work against yourself (e.g. host header injection, self-XSS)\n- Account-age issues on support.rockstargames.com\n- Recently released zero day vulnerabilities. Please give us time to patch.\n\nFinally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. **Recommendations for new controls or technologies are welcome, but they will be marked as Ineligible For Bounty unless they are accompanied by a valid exploit.** Thank you!\n\n***\n## New Opportunity: Private In-Game Bug Bounty Program\n\nIn order to help ensure the best quality experience for our players, we are working with the HackerOne community of security researchers to help us identify potential vulnerabilities in our games and non-web applications that have previously been out-of-scope. We will be accepting such reports through our private bounty program only; not on the public program you are currently visiting. \n\nBefore participating, please take careful note of the following rules. If your research does not follow these rules we cannot verify your report and your work will not be eligible for payment:\n\nThe privacy, security and experience of our users are of the utmost importance. **Under no circumstances may any of your testing negatively affect our users in any way**\n\n- Bans received while testing for issues will not be reversed\n- You may only use your own account(s) for testing\n- Reports with no security impact will be closed\n- Please do not report the following types of issues through this program:\n  - General game bugs\n  - Glitches (e.g. car duplication, wall hacks, etc.). If your issue can only be performed solely on a controller, it's probably a glitch\n  - Specific cheaters, mods, or mod developers, nor does this program apply to links to cheating forums, discords, social media handles, or any other references to known cheat / modding resources \n\nThe scope of the in-game bounty is currently limited to:\n\n- Grand Theft Auto V and Grand Theft Auto Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 and Red Dead Online on the following platforms:\n  - PS4\n  - Xbox One\n  - PC\n- Red Dead Redemption 2 Companion App\n- iFruit Mobile App\n\nIn addition to the in-game bounty, we are still accepting reports for the targeted Incorrect Ban Bounty campaign, described in more detail further below.\n\nIn order to participate in either the in-game bounty or in the Targeted Bounty: Grand Theft Auto Online - Incorrect Ban Bounty campaign, please submit our [enrollment form](https://docs.google.com/forms/d/e/1FAIpQLSfU2Wtngvy38YcYBweTt7HjE0ST1t_Slv4QMcn4zk-wpQjosA/viewform) and await an invitation to our private bounty program. **We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.**\n\n---------------\nTargeted Opportunity:  Grand Theft Auto Online - Incorrect Ban Bounty\n---------------\nWe occasionally receive support tickets from people who have been suspended for cheating in Grand Theft Auto Online, denying that any cheating took place and claiming a “false-positive”. We take these claims seriously and investigate them thoroughly. However, we have yet to find any evidence to support these claims.\n\nWe are offering a **$10,000 bounty** for any researcher who can successfully identify a reproducible incorrect ban in Grand Theft Auto Online. The types of activities that people have claimed (but we do not believe) to have caused bans include: using legitimate visual overlays (e.g. FPS) or audio chat integrations, other players spamming the in-game reporting system and having cash/rank forced on them by modders, but please do not limit yourselves to investigating these methods.\n\nOur focus is on continuing to ensure that our anti-cheat system does not ban anyone who is playing the game normally and consistently with our terms of service. Any reports that are inconsistent with the spirit of what we are focused on will be ineligible for a bounty and closed. Furthermore, no complaints or commentary about existing bans will be reviewed. Note that bans incurred as a result of violating our terms of service will not be reversed. However, if anybody were to successfully illustrate a reproducible inappropriate ban, any banned test accounts would of course be restored.\n\nAs stated above, in order to participate please submit our enrollment form and await an invitation to our private bounty program. We will not accept reports pertaining to an in-game bounty or incorrect ban bounty that are submitted to the public program page.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-11-04T18:47:54.428Z"},{"id":3589903,"new_policy":"Statement\n---------------\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program.  Only research following these guidelines will be eligible for a bounty.\n\nRewards\n-------------\nOur minimum bounty for successful vulnerability submissions is $150.  Depending on the severity and complexity of the identified potential vulnerability, higher bounties may be paid out at our discretion.  \n\nScope\n-----------\nThe current scope is limited to the domains listed below.  No authorization is given to test any other web applications, video game titles or mobile applications.  No bounties will be given for any disclosures relating to any applications outside the scope of this program.  \n\nWe encourage you to hunt for bugs in support.rockstargames.com, which is run on top of the Zendesk platform.  Zendesk also participates in the HackerOne bounty program; see this page for details and to report Zendesk vulnerabilities: [Zendesk Bug Bounty](  https://hackerone.com/zendesk/).\n\nPlease note that game bugs, glitches or exploits are not part of the bug bounty program, but can still be submitted on our support site at: https://support.rockstargames.com/hc/en-us/requests/new\n\nResponsible Disclosure and Guidelines\n--------------------------------------------------------\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty.\n\nThe following attributes are expected in a valid submission:\n* The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n* Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it.\n* What is the potential impact of the bug?\n* How could a malicious user potentially benefit from this issue?\n\nEligibility\n-------------\nFor your submission to qualify for a bounty, you must:\n* Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program.\n* Be the first to submit this particular vulnerability.\n* Not publicly disclose or discuss the vulnerability before or after submitting it.\n* For reports on the domain 'support.rockstargames.com', if you must make test posts in the forums, you must include \"test\" in the title. Failure to do so may result in your tests being deleted and your report marked \"Ineligible for Bounty\".\n\nExclusions\n---------------\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n* Attacks involving physical access to a user's device, Rockstar property or data centers\n* Social engineering of users, Rockstar staff or contractors\n* Denial-of-service attacks\n* Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n* Results from automated tools without any manual confirmation\n* Bugs affecting 3rd party sites that consume data from Social Club\n* Any similar action that interferes with a user's privacy, security or experience\n\nAdditionally, the following sorts of technical issues are also excluded:\n* Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n* SSL/TLS configuration issues, such as:  Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n* Strict transport security (HSTP/HSTS) is not enforced\n* Lack of HTTPOnly or secure flag on non-session cookies\n* CSRF token verification missing from pages (unless you can do something impactful with the request)\n* Autocomplete enabled\n* Banner disclosures\n* Session timeout\n* Window.opener issues\n* Clickjacking\n* Nickname/gamertag enumeration\n* Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n* SSO /auth/Home/SetCookie?token query string information disclosure (Unless you can demonstrate a compelling way to exploit this to hijack a user's account or bypass authentication)\n* Text / content injection\n* Email spoofing directly or as it ties to any of our contact forms\n* Insecure crossdomain.xml policy on rockstargames.com \n* DNSSEC configuration\n* Ability to add hyperlinks to player feed, friend requests, etc.  \n* Rate-limiting on endpoints\n* Password re-use attacks, in general\n* Generic error messages\n* Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)\n* Control-character injection (unless you can do something impactful against users other than yourself)\n* Attacks that only work against yourself (e.g. host header injection, self-XSS)\n* Account-age issues on support.rockstargames.com\n* Recently released zero day vulnerabilities.  Please give us time to patch.  \n\nFinally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. Recommendations for new controls or technologies are welcome, but they may be marked as Ineligible For Bounty unless they are accompanied by a valid exploit. Thank you!\n\n***\nNew Opportunity:  Grand Theft Auto Online - Incorrect Ban Bounty\n---------------\nWe occasionally receive support tickets from people who have been suspended for cheating in Grand Theft Auto Online, denying that any cheating took place and claiming a “false-positive”. We take these claims seriously and investigate them thoroughly. However, we have yet to find any evidence to support these claims.\n\nWe are offering a **$10,000 bounty** for any researcher who can successfully identify a reproducible incorrect ban in Grand Theft Auto Online. The types of activities that people have claimed (but we do not believe) to have caused bans include: using legitimate visual overlays (e.g. FPS) or audio chat integrations, other players spamming the in-game reporting system and having cash/rank forced on them by modders, but please do not limit yourselves to investigating these methods.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe rules of this targeted bounty are simple:\n\n1. You must only be working with your own Social Club accounts that you register with this bounty program prior to any testing (see details below).\n\n2. You must show that the banned account was using an unaltered, retail copy of Grand Theft Auto V on PC.\n\n3. The ban must not be the result of any deliberate attempts to modify the game or the test account. On the PC where the ban occurs you must not be using:\n    \n    a. custom code\n\n    b. esoteric software where we cannot verify the author or their (innocuous) intent\n\n    c. mods or other software designed to give an unfair advantage in video games\n\n    d. debuggers, disassemblers, real-time memory editors, instrumentation tools, etc.\n\n4. You must not negatively impact the game-play experience of other players while researching this bounty.\n\n5. We must be able to both independently reproduce the steps and verify the ban on your test account.\n\nOur focus is on continuing to ensure that our anti-cheat system does not ban anyone who is playing the game normally and consistently with our terms of service. Any reports that are inconsistent with the spirit of what we are focused on will be ineligible for a bounty and closed. Furthermore, no complaints or commentary about existing bans will be reviewed. Note that bans incurred as a result of violating our terms of service will not be reversed. However, if anybody were to successfully illustrate a reproducible inappropriate ban, any banned test accounts would of course be restored.\n\nIn order to participate in this bounty, please submit our [enrollment form](https://docs.google.com/forms/d/e/1FAIpQLSfU2Wtngvy38YcYBweTt7HjE0ST1t_Slv4QMcn4zk-wpQjosA/viewform) and await an invitation to our private VIP bounty program.  **We will not accept reports pertaining to this targeted bounty that are submitted to this program page.** \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-09-26T19:44:27.931Z"},{"id":3577171,"new_policy":"Statement\n---------------\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program.  Only research following these guidelines will be eligible for a bounty.\n\nRewards\n-------------\nOur minimum bounty for successful vulnerability submissions is $150.  Depending on the severity and complexity of the identified potential vulnerability, higher bounties may be paid out at our discretion.  \n\nScope\n-----------\nThe current scope is limited to the domains listed below.  No authorization is given to test any other web applications, video game titles or mobile applications.  No bounties will be given for any disclosures relating to any applications outside the scope of this program.  \n\nWe encourage you to hunt for bugs in support.rockstargames.com, which is run on top of the Zendesk platform.  Zendesk also participates in the HackerOne bounty program; see this page for details and to report Zendesk vulnerabilities: [Zendesk Bug Bounty](  https://hackerone.com/zendesk/).\n\nPlease note that game bugs, glitches or exploits are not part of the bug bounty program, but can still be submitted on our support site at: https://support.rockstargames.com/hc/en-us/requests/new\n\nResponsible Disclosure and Guidelines\n--------------------------------------------------------\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty.\n\nThe following attributes are expected in a valid submission:\n* The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n* Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it.\n* What is the potential impact of the bug?\n* How could a malicious user potentially benefit from this issue?\n\nEligibility\n-------------\nFor your submission to qualify for a bounty, you must:\n* Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program.\n* Be the first to submit this particular vulnerability.\n* Not publicly disclose or discuss the vulnerability before or after submitting it.\n* For reports on the domain 'support.rockstargames.com', if you must make test posts in the forums, you must include \"test\" in the title. Failure to do so may result in your tests being deleted and your report marked \"Ineligible for Bounty\".\n\nExclusions\n---------------\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n* Attacks involving physical access to a user's device, Rockstar property or data centers\n* Social engineering of users, Rockstar staff or contractors\n* Denial-of-service attacks\n* Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n* Results from automated tools without any manual confirmation\n* Bugs affecting 3rd party sites that consume data from Social Club\n* Any similar action that interferes with a user's privacy, security or experience\n\nAdditionally, the following sorts of technical issues are also excluded:\n* Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n* SSL/TLS configuration issues, such as:  Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n* Strict transport security (HSTP/HSTS) is not enforced\n* Lack of HTTPOnly or secure flag on non-session cookies\n* CSRF token verification missing from pages (unless you can do something impactful with the request)\n* Autocomplete enabled\n* Banner disclosures\n* Session timeout\n* Window.opener issues\n* Clickjacking\n* Nickname/gamertag enumeration\n* Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n* SSO /auth/Home/SetCookie?token query string information disclosure (Unless you can demonstrate a compelling way to exploit this to hijack a user's account or bypass authentication)\n* Text / content injection\n* Email spoofing directly or as it ties to any of our contact forms\n* Insecure crossdomain.xml policy on rockstargames.com \n* DNSSEC configuration\n* Ability to add hyperlinks to player feed, friend requests, etc.  \n* Rate-limiting on endpoints\n* Password re-use attacks, in general\n* Generic error messages\n* Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)\n* Control-character injection (unless you can do something impactful against users other than yourself)\n* Attacks that only work against yourself (e.g. host header injection, self-XSS)\n* Account-age issues on support.rockstargames.com\n* Recently released zero day vulnerabilities.  Please give us time to patch.  \n\nFinally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. Recommendations for new controls or technologies are welcome, but they may be marked as Ineligible For Bounty unless they are accompanied by a valid exploit. Thank you!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-05-18T18:18:55.407Z"},{"id":3567712,"new_policy":"Statement\n---------------\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program.  Only research following these guidelines will be eligible for a bounty.\n\nRewards\n-------------\nOur minimum bounty for successful vulnerability submissions is $150.  Depending on the severity and complexity of the identified potential vulnerability, higher bounties may be paid out at our discretion.  \n\nScope\n-----------\nThe current scope is limited to the domains listed below.  No authorization is given to test any other web applications, video game titles or mobile applications.  No bounties will be given for any disclosures relating to any applications outside the scope of this program.  \n\nWe encourage you to hunt for bugs in support.rockstargames.com, which is run on top of the Zendesk platform.  Zendesk also participates in the HackerOne bounty program; see this page for details and to report Zendesk vulnerabilities: [Zendesk Bug Bounty](  https://hackerone.com/zendesk/).\n\nPlease note that game bugs, glitches or exploits are not part of the bug bounty program, but can still be submitted on our support site at: https://support.rockstargames.com/hc/en-us/requests/new\n\nResponsible Disclosure and Guidelines\n--------------------------------------------------------\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty.\n\nThe following attributes are expected in a valid submission:\n* The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n* Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it.\n* What is the potential impact of the bug?\n* How could a malicious user potentially benefit from this issue?\n\nEligibility\n-------------\nFor your submission to qualify for a bounty, you must:\n* Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program.\n* Be the first to submit this particular vulnerability.\n* Not publicly disclose or discuss the vulnerability before or after submitting it.\n\nExclusions\n---------------\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n* Attacks involving physical access to a user's device, Rockstar property or data centers\n* Social engineering of users, Rockstar staff or contractors\n* Denial-of-service attacks\n* Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n* Results from automated tools without any manual confirmation\n* Bugs affecting 3rd party sites that consume data from Social Club\n* Any similar action that interferes with a user's privacy, security or experience\n\nAdditionally, the following sorts of technical issues are also excluded:\n* Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n* SSL/TLS configuration issues, such as:  Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n* Strict transport security (HSTP/HSTS) is not enforced\n* Lack of HTTPOnly or secure flag on non-session cookies\n* CSRF token verification missing from pages (unless you can do something impactful with the request)\n* Autocomplete enabled\n* Banner disclosures\n* Session timeout\n* Window.opener issues\n* Clickjacking\n* Nickname/gamertag enumeration\n* Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n* SSO /auth/Home/SetCookie?token query string information disclosure (Unless you can demonstrate a compelling way to exploit this to hijack a user's account or bypass authentication)\n* Text / content injection\n* Email spoofing directly or as it ties to any of our contact forms\n* Insecure crossdomain.xml policy on rockstargames.com \n* DNSSEC configuration\n* Ability to add hyperlinks to player feed, friend requests, etc.  \n* Rate-limiting on endpoints\n* Password re-use attacks, in general\n* Generic error messages\n* Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)\n* Control-character injection (unless you can do something impactful against users other than yourself)\n* Attacks that only work against yourself (e.g. host header injection, self-XSS)\n* Account-age issues on support.rockstargames.com\n* Recently released zero day vulnerabilities.  Please give us time to patch.  \n\nFinally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. Recommendations for new controls or technologies are welcome, but they may be marked as Ineligible For Bounty unless they are accompanied by a valid exploit. Thank you!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-01-29T17:22:02.520Z"},{"id":3559587,"new_policy":"Statement\n---------------\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program.  Only research following these guidelines will be eligible for a bounty.\n\nRewards\n-------------\nOur minimum bounty for successful vulnerability submissions is $150.  Depending on the severity and complexity of the identified potential vulnerability, higher bounties may be paid out at our discretion.  \n\nScope\n-----------\nThe current scope is limited to the domains listed below.  No authorization is given to test any other web applications, video game titles or mobile applications.  No bounties will be given for any disclosures relating to any applications outside the scope of this program.  \n\nWe encourage you to hunt for bugs in support.rockstargames.com, which is run on top of the Zendesk platform.  Zendesk also participates in the HackerOne bounty program; see this page for details and to report Zendesk vulnerabilities: [Zendesk Bug Bounty](  https://hackerone.com/zendesk/).\n\nPlease note that game bugs, glitches or exploits are not part of the bug bounty program, but can still be submitted on our support site at: https://support.rockstargames.com/hc/en-us/requests/new\n\nResponsible Disclosure and Guidelines\n--------------------------------------------------------\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty.\n\nThe following attributes are expected in a valid submission:\n* The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n* Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it.\n* What is the potential impact of the bug?\n* How could a malicious user potentially benefit from this issue?\n\nEligibility\n-------------\nFor your submission to qualify for a bounty, you must:\n* Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program.\n* Be the first to submit this particular vulnerability.\n* Not publicly disclose or discuss the vulnerability before or after submitting it.\n\nExclusions\n---------------\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n* Attacks involving physical access to a user's device, Rockstar property or data centers\n* Social engineering of users, Rockstar staff or contractors\n* Denial-of-service attacks\n* Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n* Results from automated tools without any manual confirmation\n* Bugs affecting 3rd party sites that consume data from Social Club\n* Any similar action that interferes with a user's privacy, security or experience\n\nAdditionally, the following sorts of technical issues are also excluded:\n* Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n* SSL/TLS configuration issues, such as:  Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n* Strict transport security (HSTP/HSTS) is not enforced\n* Lack of HTTPOnly or secure flag on non-session cookies\n* CSRF token verification missing from pages (unless you can do something impactful with the request)\n* Autocomplete enabled\n* Banner disclosures\n* Session timeout\n* Window.opener issues\n* Clickjacking\n* Nickname/gamertag enumeration\n* Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n* SSO /auth/Home/SetCookie?token query string information disclosure (Unless you can demonstrate a compelling way to exploit this to hijack a user's account or bypass authentication)\n* Text / content injection\n* Email spoofing directly or as it ties to any of our contact forms\n* Insecure crossdomain.xml policy on rockstargames.com \n* DNSSEC configuration\n* Ability to add hyperlinks to player feed, friend requests, etc.  \n* Rate-limiting on endpoints\n* Lack of multi-factor authentication \n* Password re-use attacks, in general\n* Generic error messages\n* Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)\n* Control-character injection (unless you can do something impactful against users other than yourself)\n* Attacks that only work against yourself (e.g. host header injection, self-XSS)\n* Account-age issues on support.rockstargames.com\n* Recently released zero day vulnerabilities.  Please give us time to patch.  \n\nFinally, keep in mind that the goal for this bug bounty program is to demonstrate exploitable vulnerabilities. Recommendations for new controls or technologies are welcome, but they may be marked as Ineligible For Bounty unless they are accompanied by a valid exploit. Thank you!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-08-25T16:36:26.830Z"},{"id":3555966,"new_policy":"Statement\n---------------\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program.  Only research following these guidelines will be eligible for a bounty.\n\nRewards\n-------------\nOur minimum bounty for successful vulnerability submissions is $150.  Depending on the severity and complexity of the identified potential vulnerability, higher bounties may be paid out at our discretion.  \n\nScope\n-----------\nThe current scope is limited to the domains listed below.  No authorization is given to test any other web applications, video game titles or mobile applications.  No bounties will be given for any disclosures relating to any applications outside the scope of this program.  \n\nWe encourage you to hunt for bugs in support.rockstargames.com, which is run on top of the Zendesk platform.  Zendesk also participates in the HackerOne bounty program; see this page for details and to report Zendesk vulnerabilities: [Zendesk Bug Bounty](  https://hackerone.com/zendesk/).\n\nPlease note that game bugs, glitches or exploits are not part of the bug bounty program, but can still be submitted on our support site at: https://support.rockstargames.com/hc/en-us/requests/new\n\nResponsible Disclosure and Guidelines\n--------------------------------------------------------\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty.\n\nThe following attributes are expected in a valid submission:\n* The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n* Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it.\n* What is the potential impact of the bug?\n* How could a malicious user potentially benefit from this issue?\n\nEligibility\n-------------\nFor your submission to qualify for a bounty, you must:\n* Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program.\n* Be the first to submit this particular vulnerability.\n* Not publicly disclose or discuss the vulnerability before or after submitting it.\n\nExclusions\n---------------\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n* Attacks involving physical access to a user's device, Rockstar property or data centers\n* Social engineering of users, Rockstar staff or contractors\n* Denial-of-service attacks\n* Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n* Results from automated tools without any manual confirmation\n* Bugs affecting 3rd party sites that consume data from Social Club\n* Any similar action that interferes with a user's privacy, security or experience\n\nAdditionally, the following sorts of technical issues are also excluded:\n* Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n* SSL/TLS configuration issues, such as:  Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n* Strict transport security (HSTP/HSTS) is not enforced\n* Lack of HTTPOnly or secure flag on non-session cookies\n* CSRF token verification missing from pages (unless you can do something impactful with the request)\n* Autocomplete enabled\n* Banner disclosures\n* Session timeout\n* Window.opener issues\n* Clickjacking\n* Nickname/gamertag enumeration\n* Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n* SSO /auth/Home/SetCookie?token query string information disclosure (Unless you can demonstrate a compelling way to exploit this to hijack a user's account or bypass authentication)\n* Text / content injection\n* Email spoofing directly or as it ties to any of our contact forms\n* Insecure crossdomain.xml policy on rockstargames.com \n* DNSSEC configuration\n* Ability to add hyperlinks to player feed, friend requests, etc.  \n* Rate-limiting on endpoints\n* Lack of multi-factor authentication \n* Password re-use attacks, in general\n* Generic error messages\n* Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)\n* Control-character injection (unless you can do something impactful against users other than yourself)\n* Attacks that only work against yourself (e.g. host header injection, self-XSS)\n* Account-age issues on support.rockstargames.com\n* Recently released zero day vulnerabilities.  Please give us time to patch.  \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-06-19T19:16:20.633Z"},{"id":3555078,"new_policy":"Statement\n---------------\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program.  Only research following these guidelines will be eligible for a bounty.\n\nRewards\n-------------\nOur minimum bounty for successful vulnerability submissions is $150.  Depending on the severity and complexity of the identified potential vulnerability, higher bounties may be paid out at our discretion.  \n\nScope\n-----------\nThe current scope is limited to the domains listed below.  No authorization is given to test any other web applications, video game titles or mobile applications.  No bounties will be given for any disclosures relating to any applications outside the scope of this program.  \n\nWe encourage you to hunt for bugs in support.rockstargames.com, which is run on top of the Zendesk platform.  Zendesk also participates in the HackerOne bounty program; see this page for details and to report Zendesk vulnerabilities: [Zendesk Bug Bounty](  https://hackerone.com/zendesk/).\n\nPlease note that game bugs, glitches or exploits are not part of the bug bounty program, but can still be submitted on our support site at: https://support.rockstargames.com/hc/en-us/requests/new\n\nResponsible Disclosure and Guidelines\n--------------------------------------------------------\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty.\n\nThe following attributes are expected in a valid submission:\n* The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n* Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it.\n* What is the potential impact of the bug?\n* How could a malicious user potentially benefit from this issue?\n\nEligibility\n-------------\nFor your submission to qualify for a bounty, you must:\n* Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program.\n* Be the first to submit this particular vulnerability.\n* Not publicly disclose or discuss the vulnerability before or after submitting it.\n\nExclusions\n---------------\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n* Attacks involving physical access to a user's device, Rockstar property or data centers\n* Social engineering of users, Rockstar staff or contractors\n* Denial-of-service attacks\n* Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n* Results from automated tools without any manual confirmation\n* Bugs affecting 3rd party sites that consume data from Social Club\n* Any similar action that interferes with a user's privacy, security or experience\n\nAdditionally, the following sorts of technical issues are also excluded:\n* Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n* SSL/TLS configuration issues, such as:  Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n* Strict transport security (HSTP) is not enforced\n* Lack of HTTPOnly or secure flag on non-session cookies\n* CSRF token verification missing from pages (unless you can do something impactful with the request)\n* Autocomplete enabled\n* Banner disclosures\n* Session timeout\n* Window.opener issues\n* Clickjacking\n* Nickname/gamertag enumeration\n* Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n* SSO /auth/Home/SetCookie?token query string information disclosure (Unless you can demonstrate a compelling way to exploit this to hijack a user's account or bypass authentication)\n* Text / content injection\n* Email spoofing directly or as it ties to any of our contact forms\n* Insecure crossdomain.xml policy on rockstargames.com \n* DNSSEC configuration\n* Ability to add hyperlinks to player feed, friend requests, etc.  \n* Rate-limiting on endpoints\n* Lack of multi-factor authentication \n* Password re-use attacks, in general\n* Generic error messages\n* Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)\n* Control-character injection (unless you can do something impactful against users other than yourself)\n* Attacks that only work against yourself (e.g. host header injection, self-XSS)\n* Account-age issues on support.rockstargames.com\n* Recently released zero day vulnerabilities.  Please give us time to patch.  \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-06-05T18:46:53.536Z"},{"id":3551190,"new_policy":"Statement\n---------------\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program.  Only research following these guidelines will be eligible for a bounty.\n\nRewards\n-------------\nOur minimum bounty for successful vulnerability submissions is $150.  Depending on the severity and complexity of the identified potential vulnerability, higher bounties may be paid out at our discretion.  \n\nScope\n-----------\nThe current scope is limited to the domains listed below.  No authorization is given to test any other web applications, video game titles or mobile applications.  No bounties will be given for any disclosures relating to any applications outside the scope of this program.  \n\nWe encourage you to hunt for bugs in support.rockstargames.com, which is run on top of the Zendesk platform.  Zendesk also participates in the HackerOne bounty program; see this page for details and to report Zendesk vulnerabilities: [Zendesk Bug Bounty](  https://hackerone.com/zendesk/).\n\nPlease note that game bugs, glitches or exploits are not part of the bug bounty program, but can still be submitted on our support site at: https://support.rockstargames.com/hc/en-us/requests/new\n\nResponsible Disclosure and Guidelines\n--------------------------------------------------------\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty.\n\nThe following attributes are expected in a valid submission:\n* The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n* Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it.\n* What is the potential impact of the bug?\n* How could a malicious user potentially benefit from this issue?\n\nEligibility\n-------------\nFor your submission to qualify for a bounty, you must:\n* Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program.\n* Be the first to submit this particular vulnerability.\n* Not publicly disclose or discuss the vulnerability before or after submitting it.\n\nExclusions\n---------------\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n* Attacks involving physical access to a user's device, Rockstar property or data centers\n* Social engineering of users, Rockstar staff or contractors\n* Denial-of-service attacks\n* Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n* Results from automated tools without any manual confirmation\n* Bugs affecting 3rd party sites that consume data from Social Club\n* Any similar action that interferes with a user's privacy, security or experience\n\nAdditionally, the following sorts of technical issues are also excluded:\n* Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n* SSL/TLS configuration issues, such as:  Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n* Strict transport security (HSTP) is not enforced\n* Lack of HTTPOnly or secure flag on non-session cookies\n* CSRF token verification missing from pages (unless you can do something impactful with the request)\n* Autocomplete enabled\n* Banner disclosures\n* Session timeout\n* Window.opener issues\n* Clickjacking\n* Nickname/gamertag enumeration\n* Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n* SSO /auth/Home/SetCookie?token query string information disclosure (Unless you can demonstrate a compelling way to exploit this to hijack a user's account or bypass authentication)\n* Text / content injection\n* Email spoofing directly or as it ties to any of our contact forms\n* Insecure crossdomain.xml policy on rockstargames.com \n* DNSSEC configuration\n* Ability to add hyperlinks to player feed, friend requests, etc.  \n* Rate-limiting on endpoints\n* Lack of multi-factor authentication \n* Password re-use attacks, in general\n* Generic error messages\n* Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)\n* Attacks that only work against yourself (e.g. host header injection, self-XSS)\n* Account-age issues on support.rockstargames.com\n* Recently released zero day vulnerabilities.  Please give us time to patch.  \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-04-11T17:30:29.147Z"},{"id":3550111,"new_policy":"Statement\n---------------\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program.  Only research following these guidelines will be eligible for a bounty.\n\nRewards\n-------------\nOur minimum bounty for successful vulnerability submissions is $150.  Depending on the severity and complexity of the identified potential vulnerability, higher bounties may be paid out at our discretion.  \n\nScope\n-----------\nThe current scope is limited to the domains listed below.  No authorization is given to test any other web applications, video game titles or mobile applications.  No bounties will be given for any disclosures relating to any applications outside the scope of this program.  \n\nWe encourage you to hunt for bugs in support.rockstargames.com, which is run on top of the Zendesk platform.  Zendesk also participates in the HackerOne bounty program; see this page for details and to report Zendesk vulnerabilities: [Zendesk Bug Bounty](  https://hackerone.com/zendesk/).\n\nPlease note that game bugs, glitches or exploits are not part of the bug bounty program, but can still be submitted on our support site at: https://support.rockstargames.com/hc/en-us/requests/new\n\nResponsible Disclosure and Guidelines\n--------------------------------------------------------\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty.\n\nThe following attributes are expected in a valid submission:\n* The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n* Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it.\n* What is the potential impact of the bug?\n* How could a malicious user potentially benefit from this issue?\n\nEligibility\n-------------\nFor your submission to qualify for a bounty, you must:\n* Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program.\n* Be the first to submit this particular vulnerability.\n* Not publicly disclose or discuss the vulnerability before or after submitting it.\n\nExclusions\n---------------\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n* Attacks involving physical access to a user's device, Rockstar property or data centers\n* Social engineering of users, Rockstar staff or contractors\n* Denial-of-service attacks\n* Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n* Results from automated tools without any manual confirmation\n* Bugs affecting 3rd party sites that consume data from Social Club\n* Any similar action that interferes with a user's privacy, security or experience\n\nAdditionally, the following sorts of technical issues are also excluded:\n* Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n* SSL/TLS configuration issues, such as:  Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n* Strict transport security (HSTP) is not enforced\n* Lack of HTTPOnly or secure flag on non-session cookies\n* CSRF token verification missing from pages (unless you can do something impactful with the request)\n* Autocomplete enabled\n* Banner disclosures\n* Session timeout\n* Window.opener issues\n* Clickjacking\n* Nickname/gamertag enumeration\n* Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n* SSO /auth/Home/SetCookie?token query string information disclosure (Unless you can demonstrate a compelling way to exploit this to hijack a user's account or bypass authentication)\n* Text / content injection\n* Email spoofing directly or as it ties to any of our contact forms\n* Insecure crossdomain.xml policy on rockstargames.com \n* DNSSEC configuration\n* Ability to add hyperlinks to player feed, friend requests, etc.  \n* Rate-limiting on endpoints\n* Lack of multi-factor authentication \n* Password re-use attacks, in general\n* Generic error messages\n* Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information)\n* Attacks that only work against yourself (e.g. host header injection, self-XSS)\n* Recently released zero day vulnerabilities.  Please give us time to patch.  \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-03-28T16:34:38.799Z"},{"id":3549214,"new_policy":"Statement\n---------------\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program.  Only research following these guidelines will be eligible for a bounty.\n\nRewards\n-------------\nOur minimum bounty for successful vulnerability submissions is $150.  Depending on the severity and complexity of the identified potential vulnerability, higher bounties may be paid out at our discretion.  \n\nScope\n-----------\nThe current scope is limited to the domains listed below.  No authorization is given to test any other web applications, video game titles or mobile applications.  No bounties will be given for any disclosures relating to any applications outside the scope of this program.  \n\nWe encourage you to hunt for bugs in support.rockstargames.com, which is run on top of the Zendesk platform.  Zendesk also participates in the HackerOne bounty program; see this page for details and to report Zendesk vulnerabilities: [Zendesk Bug Bounty](  https://hackerone.com/zendesk/).\n\nPlease note that game bugs, glitches or exploits are not part of the bug bounty program, but can still be submitted on our support site at: https://support.rockstargames.com/hc/en-us/requests/new\n\nResponsible Disclosure and Guidelines\n--------------------------------------------------------\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty.\n\nThe following attributes are expected in a valid submission:\n* The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n* Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it.\n* What is the potential impact of the bug?\n* How could a malicious user potentially benefit from this issue?\n\nEligibility\n-------------\nFor your submission to qualify for a bounty, you must:\n* Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program.\n* Be the first to submit this particular vulnerability.\n* Not publicly disclose or discuss the vulnerability before or after submitting it.\n\nExclusions\n---------------\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n* Attacks involving physical access to a user's device, Rockstar property or data centers\n* Social engineering of users, Rockstar staff or contractors\n* Denial-of-service attacks\n* Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n* Results from automated tools without any manual confirmation\n* Bugs affecting 3rd party sites that consume data from Social Club\n* Any similar action that interferes with a user's privacy, security or experience\n\nAdditionally, the following sorts of technical issues are also excluded:\n* Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n* SSL/TLS configuration issues, such as:  Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n* Strict transport security (HSTP) is not enforced\n* Lack of HTTPOnly or secure flag on non-session cookies\n* CSRF token verification missing from pages (unless you can do something impactful with the request)\n* Autocomplete enabled\n* Banner disclosures\n* Session timeout\n* Window.opener issues\n* Clickjacking\n* Nickname/gamertag enumeration\n* Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n* SSO /auth/Home/SetCookie?token query string information disclosure (Unless you can demonstrate a compelling way to exploit this to hijack a user's account or bypass authentication)\n* Text / content injection\n* Email spoofing directly or as it ties to any of our contact forms\n* Insecure crossdomain.xml policy on rockstargames.com \n* DNSSEC configuration\n* Ability to add hyperlinks to player feed, friend requests, etc.  \n* Rate-limiting on endpoints\n* Lack of multi-factor authentication \n* Password re-use attacks, in general\n* Generic error messages\n* Attacks that only work against yourself (e.g. host header injection, self-XSS)\n* Recently released zero day vulnerabilities.  Please give us time to patch.  \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-03-16T22:14:57.463Z"},{"id":3548928,"new_policy":"Statement\n---------------\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program.  Only research following these guidelines will be eligible for a bounty.\n\nRewards\n-------------\nOur minimum bounty for successful vulnerability submissions is $150.  Depending on the severity and complexity of the identified potential vulnerability, higher bounties may be paid out at our discretion.  \n\nScope\n-----------\nThe current scope is limited to the domains listed below.  No authorization is given to test any other web applications, video game titles or mobile applications.  No bounties will be given for any disclosures relating to any applications outside the scope of this program.  \n\nWe encourage you to hunt for bugs in support.rockstargames.com, which is run on top of the Zendesk platform.  Zendesk also participates in the HackerOne bounty program; see this page for details and to report Zendesk vulnerabilities: [Zendesk Bug Bounty](  https://hackerone.com/zendesk/).\n\nPlease note that game bugs, glitches or exploits are not part of the bug bounty program, but can still be submitted on our support site at: https://support.rockstargames.com/hc/en-us/requests/new\n\nResponsible Disclosure and Guidelines\n--------------------------------------------------------\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty.\n\nThe following attributes are expected in a valid submission:\n* The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n* Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it.\n* What is the potential impact of the bug?\n* How could a malicious user potentially benefit from this issue?\n\nEligibility\n-------------\nFor your submission to qualify for a bounty, you must:\n* Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program.\n* Be the first to submit this particular vulnerability.\n* Not publicly disclose or discuss the vulnerability before or after submitting it.\n\nExclusions\n---------------\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n* Attacks involving physical access to a user's device, Rockstar property or data centers\n* Social engineering of users, Rockstar staff or contractors\n* Denial-of-service attacks\n* Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n* Results from automated tools without any manual confirmation\n* Bugs affecting 3rd party sites that consume data from Social Club\n* Any similar action that interferes with a user's privacy, security or experience\n\nAdditionally, the following sorts of technical issues are also excluded:\n* Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n* SSL/TLS configuration issues, such as:  Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n* Strict transport security (HSTP) is not enforced\n* Lack of HTTPOnly flag on non-session cookies\n* CSRF token verification missing from pages (unless you can do something impactful with the request)\n* Autocomplete enabled\n* Banner disclosures\n* Session timeout\n* Window.opener issues\n* Clickjacking\n* Nickname/gamertag enumeration\n* Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n* SSO /auth/Home/SetCookie?token query string information disclosure (Unless you can demonstrate a compelling way to exploit this to hijack a user's account or bypass authentication)\n* Text / content injection\n* Email spoofing directly or as it ties to any of our contact forms\n* Insecure crossdomain.xml policy on rockstargames.com \n* DNSSEC configuration\n* Ability to add hyperlinks to player feed, friend requests, etc.  \n* Rate-limiting on endpoints\n* Recently released zero day vulnerabilities.  Please give us time to patch.  \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-03-13T19:28:49.438Z"},{"id":3548402,"new_policy":"Statement\n---------------\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program.  Only research following these guidelines will be eligible for a bounty.\n\nRewards\n-------------\nOur minimum bounty for successful vulnerability submissions is $150.  Depending on the severity and complexity of the identified potential vulnerability, higher bounties may be paid out at our discretion.  \n\nScope\n-----------\nThe current scope is limited to the domains listed below.  No authorization is given to test any other web applications, video game titles or mobile applications.  No bounties will be given for any disclosures relating to any applications outside the scope of this program.  \n\nWe encourage you to hunt for bugs in support.rockstargames.com, which is run on top of the Zendesk platform.  Zendesk also participates in the HackerOne bounty program; see this page for details and to report Zendesk vulnerabilities: [Zendesk Bug Bounty](  https://hackerone.com/zendesk/).\n\nPlease note that game bugs, glitches or exploits are not part of the bug bounty program, but can still be submitted on our support site at: https://support.rockstargames.com/hc/en-us/requests/new\n\nResponsible Disclosure and Guidelines\n--------------------------------------------------------\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty.\n\nThe following attributes are expected in a valid submission:\n* The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n* Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it.\n* What is the potential impact of the bug?\n* How could a malicious user potentially benefit from this issue?\n\nEligibility\n-------------\nFor your submission to qualify for a bounty, you must:\n* Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program.\n* Be the first to submit this particular vulnerability.\n* Not publicly disclose or discuss the vulnerability before or after submitting it.\n\nExclusions\n---------------\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n* Attacks involving physical access to a user's device, Rockstar property or data centers\n* Social engineering of users, Rockstar staff or contractors\n* Denial-of-service attacks\n* Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n* Results from automated tools without any manual confirmation\n* Bugs affecting 3rd party sites that consume data from Social Club\n* Any similar action that interferes with a user's privacy, security or experience\n\nAdditionally, the following sorts of technical issues are also excluded:\n* Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n* SSL/TLS configuration issues, such as:  Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n* Strict transport security (HSTP) is not enforced\n* Lack of HTTPOnly flag on non-session cookies\n* CSRF token verification missing from pages (unless you can do something impactful with the request)\n* Autocomplete enabled\n* Banner disclosures\n* Session timeout\n* Window.opener issues\n* Clickjacking\n* Nickname/gamertag enumeration\n* Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n* SSO /auth/Home/SetCookie?token query string information disclosure (Unless you can demonstrate a compelling way to exploit this to hijack a user's account or bypass authentication)\n* Text / content injection\n* Email spoofing directly or as it ties to any of our contact forms\n* Insecure crossdomain.xml policy on rockstargames.com \n* DNSSEC configuration\n* Ability to add hyperlinks to player feed, friend requests, etc.  \n* Recently released zero day vulnerabilities.  Please give us time to patch.  \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-03-07T16:03:35.092Z"},{"id":3548345,"new_policy":"Statement\n---------------\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program.  Only research following these guidelines will be eligible for a bounty.\n\nRewards\n-------------\nOur minimum bounty for successful vulnerability submissions is $150.  Depending on the severity and complexity of the identified potential vulnerability, higher bounties may be paid out at our discretion.  \n\nScope\n-----------\nThe current scope is limited to the domains listed below.  No authorization is given to test any other web applications, video game titles or mobile applications.  No bounties will be given for any disclosures relating to any applications outside the scope of this program.  \n\nWe encourage you to hunt for bugs in support.rockstargames.com, which is run on top of the Zendesk platform.  Zendesk also participates in the HackerOne bounty program; see this page for details and to report Zendesk vulnerabilities: [Zendesk Bug Bounty](  https://hackerone.com/zendesk/).\n\n\nResponsible Disclosure and Guidelines\n--------------------------------------------------------\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty.\n\nThe following attributes are expected in a valid submission:\n* The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n* Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it.\n* What is the potential impact of the bug?\n* How could a malicious user potentially benefit from this issue?\n\nEligibility\n-------------\nFor your submission to qualify for a bounty, you must:\n* Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program.\n* Be the first to submit this particular vulnerability.\n* Not publicly disclose or discuss the vulnerability before or after submitting it.\n\nExclusions\n---------------\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n* Attacks involving physical access to a user's device, Rockstar property or data centers\n* Social engineering of users, Rockstar staff or contractors\n* Denial-of-service attacks\n* Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n* Results from automated tools without any manual confirmation\n* Bugs affecting 3rd party sites that consume data from Social Club\n* Any similar action that interferes with a user's privacy, security or experience\n\nAdditionally, the following sorts of technical issues are also excluded:\n* Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n* SSL/TLS configuration issues, such as:  Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n* Strict transport security (HSTP) is not enforced\n* Lack of HTTPOnly flag on non-session cookies\n* CSRF token verification missing from pages (unless you can do something impactful with the request)\n* Autocomplete enabled\n* Banner disclosures\n* Session timeout\n* Window.opener issues\n* Clickjacking\n* Nickname/gamertag enumeration\n* Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n* SSO /auth/Home/SetCookie?token query string information disclosure (Unless you can demonstrate a compelling way to exploit this to hijack a user's account or bypass authentication)\n* Text / content injection\n* Email spoofing directly or as it ties to any of our contact forms\n* Insecure crossdomain.xml policy on rockstargames.com \n* DNSSEC configuration\n* Ability to add hyperlinks to player feed, friend requests, etc.  \n* Recently released zero day vulnerabilities.  Please give us time to patch.  \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-03-06T20:36:53.780Z"},{"id":3548056,"new_policy":"Statement\n---------------\nWe are dedicated to the privacy and security of our users, and the environment we create for them. We believe that having a talented group of independent security researchers is paramount to achieving that goal. We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities . Please review the following guidelines detailing the rules of this bug bounty program.  Only research following these guidelines will be eligible for a bounty.\n\nRewards\n-------------\nOur minimum bounty for successful vulnerability submissions is $150.  Depending on the severity and complexity of the identified potential vulnerability, higher bounties may be paid out at our discretion.  \n\nScope\n-----------\nThe current scope is limited to the domains listed below.  No authorization is given to test any other web applications, video game titles or mobile applications.  No bounties will be given for any disclosures relating to any applications outside the scope of this program.  \n\nWe encourage you to hunt for bugs in support.rockstargames.com, which is run on top of the Zendesk platform.  Zendesk also participates in the HackerOne bounty program; see this page for details and to report Zendesk vulnerabilities: [Zendesk Bug Bounty](  https://hackerone.com/zendesk/).\n\n\nResponsible Disclosure and Guidelines\n--------------------------------------------------------\nWhen submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for a bounty.\n\nThe following attributes are expected in a valid submission:\n* The type of issue being reported. What kind of attack, does it fit a CWE number, etc.\n* Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it.\n* What is the potential impact of the bug?\n* How could a malicious user potentially benefit from this issue?\n\nEligibility\n-------------\nFor your submission to qualify for a bounty, you must:\n* Adhere to all guidelines and terms related to the program, including those on this page, the terms provided by Hacker One, and the Legal agreements you accepted before being admitted to this bounty program.\n* Be the first to submit this particular vulnerability.\n* Not publicly disclose or discuss the vulnerability before or after submitting it.\n\nExclusions\n---------------\nBugs that are outside the scope or guidelines detailed here are not eligible for this program.\n\nThe privacy, security and experience of our users are of the utmost importance. Under no circumstances may any testing target or negatively affect our users. You must use only accounts you own and/or created specifically for testing purposes.\n\nThe following attributes would invalidate any submitted vulnerabilities:\n* Attacks involving physical access to a user's device, Rockstar property or data centers\n* Social engineering of users, Rockstar staff or contractors\n* Denial-of-service attacks\n* Bugs in 3rd party authentications (attacks specifically against our implementation are fine)\n* Results from automated tools without any manual confirmation\n* Bugs affecting 3rd party sites that consume data from Social Club\n* Any similar action that interferes with a user's privacy, security or experience\n\nAdditionally, the following sorts of technical issues are also excluded:\n* Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options\n* SSL/TLS configuration issues, such as:  Perfect Forward Secrecy not supported, TLSv1.0 / 1.1\n* Strict transport security (HSTP) is not enforced\n* Lack of HTTPOnly flag on non-session cookies\n* CSRF token verification missing from pages (unless you can do something impactful with the request)\n* Autocomplete enabled\n* Banner disclosures\n* Session timeout\n* Window.opener issues\n* Clickjacking\n* Nickname/gamertag enumeration\n* Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)\n* SSO /auth/Home/SetCookie?token query string information disclosure (Unless you can demonstrate a compelling way to exploit this to hijack a user's account or bypass authentication)\n* Text / content injection\n* Email spoofing directly or as it ties to any of our contact forms\n* Insecure crossdomain.xml policy on rockstargames.com \n* DNSSEC configuration\n* Recently released zero day vulnerabilities.  Please give us time to patch.  \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-03-02T17:41:47.979Z"}]