- theflow0
submitted a report to PlayStation.
Oct 25th (8 months ago)
- PlayStation rewarded theflow0 with a $20,000 bounty.
Nov 12th (7 months ago)
- shoshin_cup
PlayStation staff closed the report and changed the status to Resolved.
Apr 4th (3 months ago)
- theflow0
requested to disclose this report.
Apr 4th (3 months ago)
- sazerac
HackerOne staff agreed to disclose this report.
Jun 10th (9 days ago)
I generally refuse to participate in Bug bounty programs through intermediaries like HackerOne, because they severely restrict and delay your ability to disclose. After having been denied a bug bounty for reporting a vulnerability directly, and often spent frustrating amounts of time just trying to get a response even from major companies, I've basically given up completely on bug bounty programs, and will likely go for full disclosure in the future (with a note to the corresponding security team for awareness).
For smaller issues, the bounties often don't even fairly compensate the (usually significant) effort spent communicating with the security team if you value your time at a competitive hourly rate, and payment is hit or miss. Not worth giving up your right to talk about the issues in exchange.
Friend just disclosed a 7 vuln chain RCE in a Fortune20 company. Affected all cloud and on-prem versions.
They denied it as it was under NDA during a "scheduled" pentest (their client paid them to pentest and they alerted the vendor letting them know they'd be doing it during a 2 week period like most cloud vendors).
For someone to spend weeks developing that many vulnerabilities to get an RCE and then get nothing from the vendor other than "haha technically we don't have to pay you" - there is zero reason to not go through agencies that sell to governments (ZDI, Zerodium, etc).
You'll get paid and now the bug won't get patched.
There's three parties: 1. Cloud service provider, 2. Client, 3. Tester
Client pays Tester to find vulns in Client's setup, including third party tools used by Client. Client notifies Cloud that there will be testing, and presumably the ToS allow such pentesting. In the process Tester discovers vulns in Cloud.
Not sure how to think about that. I'd expect a pen tester to live of the money they get for the pentest and not make extra money with bounties from the time spent during that pentest. If the bug was in the software of another vendor then that's not as clear, but I'm still not sure if the pentester should be entitled to a bounty. If anything, maybe the client should get the bounty as they hired and paid for the pentester to find vulns?
I feel like all these takes seem to not really consider the idea that some people enjoy security work but do not want to be part of criminal enterprises, especially in the age of ransomware.
Gaming devices have always been special I think cuz basically every heavy gamer pirates games as a kid (no money!) and there’s a very legit “I just want my device to run software” feeling, but I think generally people want shit to be fixed.
There’s another path - open source disclosure. I’m not seeking pay, I’m not using it. I’m just putting it right out there in the open. Should the wrong parties abuse it, oh well.
At this point in life, I feel “responsible disclosure” is just a PR tool for shit-birds to use to dodge accountability. The only thing they will respond to is pain.
I do not understand the "oh well if it gets exploited" vibe. It's not the company that suffers in that case, but users of the software!
Now, you might want to somehow tell these users about this, so they can get off of the software. And there's this balancing act in that case...
In the abstract universe where I have a nasty exploit and the company wants to ignore it, I suppose I would just try to loudly publish a first step which is like "hey, I have this PoC which gives me RCE with this software, and the company is ignoring it", without revealing the methodology at first. Perhaps at least publishing some mitigation strategies.
I am not a security researcher, but I understand that this would be hard. But I think it's not honest to say that just dumping an exploit to the world is the best alternative to stonewalling.
Sometimes, but not always, the stock market reacts by tanking the stock price. So the company does sometime get punished. For some vulnerabilities the end user does still end up paying more anyway though.
A hack has never impacted the stock price for a company for more than a week. Look at Equifax, it had almost doubled it's stock price between 2017 and 2022. That company should be dead.
There's no repercussions for companies who are hacked. Until GDPR style fines are dealt, and companies are taken out back by regulatory agencies and shot - this will continue.
The thing you miss is CIO DGAF because he has paper trial covering his ass - pays for all kinds of corporate placebos (antivirus, waf), even did a pentest. Worst case scenario they will get in the news and get free advertising to >50% of clueless population.
The PoC requirement seems to be there to help the triage team filter out the many garbage reports they get.
Having seen a glimpse of what you get out of a bug bounty program (lots and lots of people with no clue submitting bogus reports) I understand why companies are doing that, but especially for a commercial company, their triage burden is not my problem. I'm doing them a massive favor by reporting it, and as mentioned above I'm not getting paid adequately for it... so either they do the triage properly (yes, that's a lot of work), or they pay me to spend time to give them a clearer proof... or they don't get the vulnerability reported/responsibly disclosed.
Ironically, if you went through one of the platforms initially and they responded like that, you can't just go full disclosure anymore without violating the platform ToS, just like this post showed.
The absolute minimum that such platforms should do would be report closed = NDA lifted, but since they're more dependent on their paying customers than the researchers, they won't do that.
From a $ perspective, most bug bounty programs look rather uneconomic to me, which I presume is by design.
Bounty programs require a hacker to reveal their secret. That cripples a hacker’s negotiation strength, and the hacker cedes nearly all control (as you point out).
Are there any organisations which can authenticate a vulnerability, without the hacker revealing the vulnerability itself?
Vulnerability authentication seems like a hard problem:
* powerful adversaries will wish to “steal” the vulnerability for themselves,
* the hacker will want to remain anonymous,
* the hacker needs to believe they will be safe and their vulnerability will not be stolen,
* legal, social, and financial incentives would be difficult to align for such an organisation to even exist. In a “safe jurisdiction” three-letter-agency and legal issues would probably be prohibitive (can’t aid extortion etcetera), and in other looser jurisdictions there would be powerful dark threats (far dominating over any legal issues).
* in most markets authentication is handled by organisations doing repeat transactions so that their incentive is to be trustworthy. However in this market government or blackhat organisations will want to create fronts or suborn organisations.
I guess on the dark markets there are authentication options for black hats. Any links to discussions about that?
Can vulnerability authentication be solved for white hats?
Practically, HackerOne is already in the business of validating vulnerability reports, and they did so here. The real problem is that HackerOne takes a commission on vulnerability reports but does not protect the researcher if the program doesn't pay for the validated report. Other platforms like Bugcrowd do protect you (which is probably sufficient for the problem you describe), but HackerOne strangely does not.
There's already a trusted intermediary, you don't really need to hide the report from the company -- the intermediary just needs to provide protections to both sides.
disclaimer/context: I'm a HackerOne customer (I manage a program, and heavily compared Bugcrowd to HackerOne prior to purchase).
> Practically, HackerOne is already in the business of validating vulnerability reports, and they did so here.
This is true of some programs, but not all. Only for programs that HackerOne manages and triages for is this the case. Companies can and do refuse the triage service. The triage service, and H1 staff are incredibly devoted to the hacker side of things. H1 staff routinely advises when we should pay more, when we should award bounties on borderline issues, and offers their mediation process if a hacker disagrees with our judgement. They push us (and I assume other companies) to increase the scope of your program, to increase bounty payouts, and to decrease complexity with complying with program rules.
> The real problem is that HackerOne takes a commission on vulnerability reports but does not protect the researcher if the program doesn't pay for the validated report.
I manage a HackerOne program, and at least on our contract, this isn't as straightforward as you might expect. We pay for HackerOne's services with a tiered billing structure based on how many bounties we pay out. If we pay out $1500 we pay out $1500 flat, nothing skimmed off the top. If we pay out more than $x, we have to pay for an additional consumption tier irrespective of whether or not we pay out bounties up to the max on that tier.
> Other platforms like Bugcrowd do protect you (which is probably sufficient for the problem you describe), but HackerOne strangely does not.
For the most part, Bugcrowd has its own set of problems, which is offputting to a lot of people, including my team. Specifically, Bugcrowd’s Vulnerability Rating Taxonomy [0] includes many things, particularly in the P4/P5 categories, that are extremely noisy. In both cases, both companies don't pay out on dupe reports, for example.
"From a $ perspective, most bug bounty programs look rather uneconomic to me, which I presume is by design."
It depends. If you're a graduate with multiple FAANG offers in the US, they're not worth it. If you're in a developing country, they're worth it a lot.
Unfortunately, that also means that people who have good skills are less likely to participate and people who don't have marketable skills have an apparent incentive to try (they will not get the money, but the promise/possibility still lures them to submit reports) resulting in an absolutely atrocious quality of reports.
I don't think authentication is useful for white hats. A whitehat can just report it (which he'd do anyways) and then either get the bounty or not. The only benefit of authentication would be for the receiving company, and that's called triage and exists as a service (as we see in the full timeline, it was used here).
> authenticate a vulnerability, without the hacker revealing the vulnerability itself
In principle, with standalone software that can be run under emulation, including OSes and device software, it's possible to publish a verifiable, zero-knowledge proof of execution of the exploit leading to some state (e.g. root access or changing a file) without revealing how it's done.
The principle is similar to public key crypto: Everyone can verify the proof, only those with knowledge of the secret input can produce the proof.
The proof does not contain the actual execution steps because that would reveal the secret input, but it may contain before and after states for the verifier to convince themselves an exploit took place between them, along with a cryptography-style proof that the after state is reachable under this emulator using secret input known by the hacker.
the biggest news about this for, well, hackers is obviously theflow0 is back in the game! theyve been instrumental in the homebrew PS4 scene as covered by modern retro gamer on youtube.
> After having been denied a bug bounty for reporting a vulnerability directly, and often spent frustrating amounts of time just trying to get a response even from major companies, I've basically given up completely on bug bounty programs, and will likely go for full disclosure in the future (with a note to the corresponding security team for awareness).
I personally believe that if a bug bounty program denies your report / closes it out as N/A or out-of-scope, you should be able to disclose it. The whole point of bug bounty is practically "legal extortion". The buy-in is that you're getting security details in exchange for payment. If you're not paid, the information shouldn't be used or worthy of payment. The security issue's severity should command a level of payment. If it fails to command this, surely the company doesn't think it's valuable, right?
> I've basically given up completely on bug bounty programs, and will likely go for full disclosure in the future (with a note to the corresponding security team for awareness).
I think you should still report to bounty programs, at least ones with "HackerOne managed" badges on them, because at least HackerOne will try to reproduce the issue / triage it. If you want you can go full disclosure, but believe it or not, smaller companies with people like me at the helm are more than happy to pay out bounties. We may not have big company budgets, but we really do take things seriously, and we enjoy rewarding people who find interesting problems.
For the record, emails to security@ company are practically inundated with false positive "bug bounty" reports from researchers who have very low signal. HackerOne/Bugcrowd are often just better ticket management systems, because when you get 10 of the same report about something that isn't a security problem a day, real issues slip through the cracks. HackerOne's triage team is very good at identifying an exceptional issue and raising it up to us, which was often difficult pre-H1 via security@ emails. Also, more and more, GDPR data deletion requests get flooded to privacy@ and security@. When this happens, the security inbox looks more like GDPR/low hanging fruit zone than an actual "important security issue that needs attention immediately" zone.
Not saying public bug-bounty programs such as this are perfect. Those around a certain date in the past remember strongly when the situation with public research was more precarious and Sony attempting lawsuits, prosecutions and other utterly horrible attempts at 'damage-control' with the PS3. In that light and with the researcher being able to disclose his research after public security-patch it does appear more amicable.
100%, TheFloW is a legend in the Vita community. Every time Sony released a new firmware fixing one of his exploits, he released another one, until Sony stopped updating the Vita.
The guy also developed quite a bunch of useful low-level software—he and Rinnegatamante basically carry the homebrew/jailbreak community for Vita, at least lately.
Meanwhile, his twitter says ‘Security Engineer @ Google’.
Bit weird that he didn't turn this into a jailbreak for PS5, though. But perhaps I'm missing something about PS5's firmware update scheme.
$20k for pirated ps4/ps5 games? Seems ridiculously low.
When I lived in Bolivia I remember buying PS2 games in the market for 10 Bs. ($2). I imagine few people in Bolivia can buy these games. Same for other third world countries.
I imagine the exploit author reported it for the clout and a "good get" right? It's quite the feather in your cap.
It's also not like house owners reward people that tell them about an open front door with the total value of their house's contents. In Dutch we say "10% finder's wages" (10% vindersloon) when someone returns an item they found, say a smartphone. Sometimes you get nothing, sometimes you get 20%, but nobody expects to get 100% (or even half) of the true value of the item you are dutifully returning.
That there is a huge market in less-wealthy countries for pirated games is a well-known fact. What strikes me as a leap is that there is some mastermind behind it all that has enough savings (or other liquidity) to buy these exploits for whatever you would consider the true value (if $20k is "ridiculously" low), and then needs to earn all that money back by selling game copies (presumably there is some hardware cost to burn discs) to a population that is large but, indeed, poor.
No one is returning something to PlayStation, though. This is independent intellectual property. Property, that if exposed, runs the risk of destroying their entire ecosystem.
And this possibly cuts well beyond simple piracy. PlayStation enjoys exclusive control over who does and does not get to publish on their platform. A mechanism that earns them millions in licensing deals, to the extent that they can happily lose money on the sale of the hardware itself. The destruction of that mechanism seems akin to destruction of their entire platform.
This isn't a "we found your front door unlocked" situation. This is a "we found a bomb attached to your spine, and we know exactly how to dismantle it."
What is the actual risk though? Game piracy is almost a solved problem now that most gaming is online gaming. Very few are interested in getting free games if it means permanently being unable to play online.
Really? It seems like some of the biggest titles for PlayStation are single player games. Multi-player is often tacked on, but I doubt it's the main selling point for most of their titles. Would so many people have played the last of us or red dead redemption if they shipped those games without any single player campaign and had only the strength of their multiplayer experience to go on? Final fantasy, kingdom hearts, Spider-man, God of war, Detroit: Become Human (Quantic Dream titles in general), Persona, Cyberpunk 2077, these all depended heavily (or entirely) on single player content.
Plenty of folks would have welcomed a change to play those kinds of games if they were just a download away. Even multiplayer games aren't necessarily off the table if unofficial servers are created and can be used, and piracy aside, it's compelling to be able to run your own software on the devices you own.
Yes there are good singleplayer games around, but the vast majority of people will at some point want to play a multi player game as well. The group of people who are willing to permanently give up multi player to save money on single player games is quite small.
In the modern internet connected era, piracy is almost completely solved. A good example is the Nintendo Switch. There have been several major exploits which have allowed full access to the system and priacy, and yet it has hardly touched their profits since multiplayer has become such a big aspect and network updates allow this stuff to be fixed.
Compare this to the Nintendo DS and DSI. You could buy piracy carts at almost every retail store and almost everyone was doing it. There was also no downside to the consumer since it didn't require giving up anything. Piracy was a massive issue for this console.
If they already have the networks in place to sell stuff like pirated movies, I don't see why they would balk at paying for an exploit to sell pirated games. I could also see them using an advance + royalty model to share the risk with the exploit writer.
I'm from a 3rd world country and can confirm, everyone is keeping their ps4 in v9.00, A shop near me is selling dozens of ps4 with +10 pre installed games, each for 280-300$.
The question is how competitive is the market? Would he get more money by auctioning it off? For something like smartphones there are plenty of governments that would buy. But for a game console? It's mostly commercial pirates and I guess those don't have as much money sloshing around.
Maybe one could make it an adversarial kickstarter kind of thing. The public pools against sony, full disclosure vs. time-delayed disclosure.
I've seen some interesting things out this way, like a 1980s IBM computer still running some dBASE II app in an auto parts store for it's inventory on a green phosphor screen, which I'd love to do some videos about
I recently got into game collecting and this is fun indeed. Managed to get myself a copy of Silent Hill 3 for the PS2, which isn't exactly a rare game but it's up there for sure.
It's like 100+ on ebay, it's kind of rare now. Classic tho. Harder and harder to find working playstation 2 consoles as well. Those games genuinely freaked the shit out of us.
When I was a teenager there was this abandoned Catholic girls school in our neighborhood which we used to go exploring in dodging the security guard and etc. It had this huge hole in the gym floor completely filled with desks JUST LIKE IN THE GAME so that was a lot of fun to bring friends who had played silent hill to come and check out.
That sounds terrifying lol. I loved these games as a kid as well but couldn't play it because of how scary they were. It wasn't until I became a young adult that I was able to actually experience them, as well as horror movies.
As for the console I also got extremely lucky and managed to snag one with no mod chip or any other alterations whatsoever. Now that we have software exploits for the PS2 through FreeMcboot it seemed like the best bet from a collection standpoint.
Oh yeah I think these games, running from security guards/police and other crazy as hell experiences in my youth broke my amygdala or something. I regularly get into the most messed up, near-death situations and laugh them off cause at least it's not like I have pyramid head coming after me.
For some reason I've noticed that in Nicaragua families really like watching horror flicks together, it's like part of the culture there for some reason. I was watching the silent hill movie with one and they actually didn't know it was originally a video game.
Pyramid head sounds like a fun halloween costume for next year, a friend of mine went as a nurse from that last time. Can do it with some cardboard boxes I think.
5 vulnerabilities, this is the issue that I'm often see, nobody wants to fix issue that isn't exploitable, so reporting all those alone won't get them fixed for maybe even years, and then someone figure out how to connect them and we get chains like this
The researcher I think should be able to negotiate the rate prior to disclosure (ie “how much would a vulnerability that accomplishes xyz be worth it to you?”). I wonder if that might change some of these payouts.
> With these vulnerabilities, it is possible to ship pirated games on bluray discs. That is possible even without a kernel exploit as we have JIT capabilities.
So this person basically saved them from loosing tons of money (if you accept these companies claim that pirating games actually make them lose money in the first place) and they only awarded them $20K.
Good way to ensure others who find similar exploits to sell them to highest bidder on darkmarkets instead as they'll be able to get way more than that.
I had some considerations of getting into white hat hacking. I'd have enough motivation to become somewhat proficient in a few years,maybe even very good in a decade. But then I look at the rewards for vulnerability discovery and I think what the hell??? If I'd spend years honing my skills and someone would offer me a few grand for something that could potentially cost them millions,I don't think I'd manage not to sell it for the highest bidder. This is like a gig economy but for infosec.
I despise Team Xecuter for a number of reasons, but these two exploits aren't necessarily comparable. The Playstation vuln in question would allow people to create pirated Blu-Ray disks that work as-expected on vanilla PS5 models. TX created a custom firmware that required hardmodding your Switch to persist. Nintendo couldn't really wring out TX without proving that their damages went beyond just the owners of hacked Switch consoles, which it certainly didn't. In Sony's case, they could probably sue pretty hard if people started selling pirated or counterfeit PS5 games, since every PS5 owner is effected.
IANAL, but I think you have to keep the scope of the damages in consideration.
By every owner affected you mean, there is small to no moat and everyone can use it if they so wish.
It is not like PS5 owners are going to be upset for having a straightforward way to run games -- e.g. make their own Blu-ray copies etc.
Edit: To clarify: that this is valued for/by Sony at only 20k is beyond me. But absolutely that valuation should be admissible in court in my opinion.
On the other hand, this number tells me to never submit a bug bounty for the money -- at least to some companies. It is simply not worth most of the time/most of the contexts. Write a paper/publication of some short and use it to get a good job that pays you salaried for more -- if you have already one just publish them immediately with a ping to the sec team. If they want to fix these fine, otherwise... they can pre-pay you to report them to them under contract for a good amount of money.
> allow people to create pirated Blu-Ray disks that work as-expected on vanilla PS5 models.
I don’t understand why there isn’t an industry of selling pirate copies of official games. What I mean is buying an official copy of the game, “image” the disc, and press 1:1 copies for cost + a couple dollars.
Why didn’t that happen? Are there technical issues preventing this from working? I can’t think it’s a matter of cost, BRD can’t cost that much to make at scale.
Not sure how it works exactly (I'm sure someone else in this thread can fill in!), but that hasn't ever been possible on consoles. Not even the very first Playstation which used CDs would accept copies out of the box.
Most white hat security researchers seem driven as much by curiosity and just a general passion as rewards.
When I worked with someone who was a point of contact for outside security researchers it seemed for many were just happy to get their name in the release notes.
And I’m not sure if you’re selling that you’re a white hat researcher anymore…
I expect to get downvoted to oblivion for this but whatever. Your comment completely lacks morals. Selling something to the highest bidder implies you have no hesitation about selling exploits to criminals.
You don’t have to do research on any given platform. If you don’t like the terms of their bounty, find something else to play with. If you are skilled enough to find something like this you will have no problem finding very highly paid jobs.
Try not to regard things in such an all-or-nothing perspective. At worst it indicates a psychological disorder, at best—a high conflict personality. Either way, it wont benefit you or the people that interact with you.
I also disagree that it ‘completely’ lacks morals. If OP is being truthful, then he has a desire to work hard and put in the time necessary to fulfill a virtuous (albeit under-compensated) calling.
However, OP is also cognizant of a hypothetical (albeit realistic) temptation that will most likely confront him, should he carry out these pursuits: ethical conflicts which would force him to choose between large financial gains (selling exploits to bad actors), or the less lucrative (and often thankless) white hat approach of reporting it in good faith, and expecting (but not necessarily receiving) equal measures of good faith from corporations (like Sony in this case).
Having an awareness of one’s own weaknesses or susceptibilities to temptation isn’t a weakness to be admonished from atop a digital soap box. Instead, recognize and reinforce OPs desire to do good—it costs little more energy to encourage the good in people, rather than shaming them for not having an unshakable moral fortitude. Have a Happy Father’s Day.
This is an excellent microcosm of everything that is wrong with the internet. I 100% agree with the entirety of your post. Had you not taken the time and effort to make a well-thought-out comment like this, the narrative would have been shaped from your parents post, possibly influencing tens of thousands of people.
Hey, I’m sorry and I’d genuinely feel bad if my comment seemed like I was targeting you; I will re-read and look for ways to communicate better. I wasn’t being mean-spirited, truly.
I was just trying to convey my feelings about how we all could do better to try and move the cursor of focus on the the good intentions of peoples’ struggles; People and things are so rarely black and white.
Your first comment sounds like you are a person of high personal ethical standards. Since I don’t know you beyond this thread, I choose to believe that, (after all, why not?). Perhaps you hold others to the similar standards, standards that you’ve earned, and ideally others will earn too. The world would be a better place if we all held high, un-temptable, ethical standards. But holding everyone to that expectation just isn’t realistic, but that doesn’t mean, we can’t, in good faith, try and encourage others to have that goal.
I’m just trying to leave the door open to the idea that those that have not made it there yet, will often respond better to encouragement instead of admonishment. I realize that this comment and my previous one will be construed by many as admonishment—I don’t mean it to be.
I admire you for your character and simultaneously relate to the OPs self awareness. With each other’s help, we can all be better.
I won't downvote this, even though I disagree with many of the particulars.
One of note: the "criminals" in this context are, at best, homebrew developers and users who'd like to unlock the full potential of the hardware they bought. At worst, they're "pirates" (the industry term, not mine) and game cheats. Nobody likes a cheater in a video game, but I don't know if I'd go as far as to make ethical prescriptions about it.
Sony feels comfortable paying a pittance for these vulnerabilities because the market for them is relatively soft. But that doesn't mean that the underlying asset actually lacks value; it means that Sony has successfully criminalized applications of the asset, artificially lowering their salability.
Replying, to avoid edit confusion: you're the CEO of a financial services company that seems to employ reverse engineering to figure out private banking APIs. In the (not-very-distant) past, that was potentially criminal under both DMCA and ECPA.
Your position affords you a unique opportunity to have some perspective here.
Thanks for noticing. I do have a unique perspective indeed, and that is exactly the activity we engage in. It was never criminal. Reverse engineering for interoperability has always been permitted by law.
> Reverse engineering for interoperability has always been permitted by law.
It's not that straightforward (even if I wish it was).
First, it requires a judge and jury who understand "interoperability" to include "connecting to a server you don't own and sending it payloads that it isn't expecting."
Second, it requires a lenient interpretation of EULAs under the DMCA: the DMCA promotes otherwise legal reverse engineering activities into illegal activities by allowing companies to establish "acceptable use," which can include prohibiting reverse engineering activities that circumvent restrictions on copyrighted or other controlled material. A bank may plausibly (in the eyes of attorneys) claim that third-party uses of its APIs compromise the bank's ability to comply with federal regulations, since no law requires that compliance and operation be integral operations.
What? That is just clearly untrue, even though I agree it ought to be the law. DMCA 1201 made no exemptions to circumvention of technical protection measures (for research, interoperability, fair use etc). Assuming any kind of security measure was employed here the interpretations of violating that have been quite broad.
You are right, my initial comment excluded morals altogether. I did it to emphasize the low value attribution to the vulnerability discovery. If I were to actually face such dilemma, it would include much more complex thought process, including morals.
I understand that nobody has to do the research of any sort but my point is that these skills and effort involved are being commoditised very quickly and become comparable to gig economy. Bounty programmes are very very cheap to large corps, compared to the returns involved. Building a substantial infosec division that could match the crowdsourced model is way more expensive.
This isn’t about selling guns to killers. Or bugs that allow you to spy on political opponents.
It’s selling bugs in customer hardware that can used to reduce control of the manufacturer of it and allow users to run pirated stuff (and homebrew likely as a result). It’s totally in the best interest of the manufacturer to always be the highest bidder.
I don’t have any moral issues with people selling those issues on the black market, if manufacturer isn’t interested in rewarding researcher properly.
I see it as a broken social contract, and this behavior has kept me out of white hat too. While selling to the highest bidder isn't what we collectively want to happen, neither should we want large companies to fail rewarding individuals for improving their systems, particularly security. I don't want a landscape of pirated software, but I can't apply moral judgement to someone who chooses to sell the information elsewhere because the owner won't offer in-kind value. It seems to me the first immoral action is actually being made by the company. I wonder if a proper way of addressing this is for individuals to negotiate higher awards through a non-profit specializing in legal and monetary law.
But what hasn't worked and will continue to not work is using social moral condemnation. I think we all find "you wouldn't download a car" funny, right? Worse for this situation is the context of the growing economic divide worldwide in 2022. Under that lens I wouldn't be surprised to see this happening more. The more oligarchies show individuals that they don't care, why should individuals show they care about the oligarchies?
Sony TVs spy on what their viewers are watching, and Playstations specifically are designed to prevent their "owners" from using their property as they wish. And let's not forget the rootkit Sony installed on buyers of their music CDs, for which no Sony employee or executive went to jail.
That Sony is not the criminal here is a reflection of our inadequate laws, not morals, and selling vulnerabilities to them is just as bad.
If it was an ethical open source initiative that ultimately benefits the world the one that was being targeted, then yes I'd agree. But if it's a company deeply entrenched in dark patterns, willingly destroys small competition with anticompetitive practices, and trample on basic user rights for triple dollar signs - then, really, who cares? To what detriment to humanity would there be if OP sold to the highest bidder?
Sony are seeding their online community with toxicity. If you have a PSN account look at the available avatars you can use.
1 in 5 have different variations of devils horns on the characters heads. 3 in 5 look like they've been cropped from communist murals around my city. Almost all of the characters look angry and criminal.
Browse these avatars and in your mind compare them to Nintendos. The vast majority of users are interacting with each other and seeing these creepy avatars as they're friends virtual faces. What effect is this having on young kids?
In this case, "Crime Pays Much Better" is a valid criticism, relative to the award. It really shouldn't be the case here. This is very much a "worst case scenario" for Sony if publicly released. The award amount IMHO is excessively paltry for the level of effort and the relative impact that this could have caused their business if not reported in an ethical way.
An award amount this low, is as other points out and the poster, approaches levels of "deterrent to doing the right thing."
This has always been a heated debate. IMO, the whole concept of "ethical hacking" doesn't exist. The whole concept of morals and ethics is nothing but smoke. It's something someone made up one day to get people to not do bad things and in the modern day companies use it to give out terrible bounty rewards.
If I find a high tier vuln and the company isn't giving reasonable bounties, it's going straight onto Zerodium or similar platforms and I won't lose a second of sleep over it.
The market is telling people what the price of a bug is, as the legal monetization paths get more and more numerous, alongside the illegal ones.
Its literally only the corporation beneficiaries of having their own product fixed that are paying the wrong amount. Inching up the payout amounts ever so slowly.
Anything that makes those corporations pay out better is also a moral outcome, and doing things that supports this status quo lacks ethics as well.
(We actually agree that selling to some bidders, and some actions, lack ethics)
You don‘t need „morals“ when the topic is about billion dollar companies who lowball you and nobody gets hurt if you do sell the exploit on the black market
I believe it's come out since the initial statement that the "pirated games [...] without a kernel exploit" thing was hypothetical, requiring someone to write a specialized AMD64-to-AMD64 JIT compiler that transforms game programs from using their native memory layouts to using that of the exploited process.
It's more-or-less how QEMU system emulation works when hardware virtualization isn't available (it's even called "softmmu"). My understanding is that something similar would need to be written/adapted with knowledge of PS5 processes' memory layouts embedded into it.
20K + prestige, he's gonna have strong cards at his next $nicely_paying_company interview
>Good way to ensure others who find similar exploits to sell them to highest bidder on darkmarkets instead as they'll be able to get way more than that.
Sure, sell it for how much? twice? thrice? as much
instead using it for your own branding, cv, to negotiate salary which will pay you way more over years
Not sure these kinds of exploits are as valuable as they once were. Online gaming is the default now which means updates can be enforced. And using one of these exploits basically requires disconnecting from the network, losing online, and losing access to new games which will have minimum version requirements.
I think the Switch is an example of how little these exploits really matter now. They had a maximum severity bug that was unpatchable and allowed piracy as well as several other patchable ones later and yet the switch did fine since the vast majority don’t want to be banned from online multiplayer. Switch piracy is very contained to a group of tech enthusiasts.
Compare this to the DS and DSI where piracy carts were sold at retail stores and had zero downsides and were widely popular.
That's a good point, but I would say it's heavily dependent on the country. Here in Brazil for example where Switch games cost almost double of Playstation and Xbox games, most of the people I know who have an exploitable console have it hacked.
It's also worth mentioning that vulnerable consoles were sold for a relatively small window of the console's lifetime, and while patched units are still hackable to some extent its much more inconvenient. For the DS all you needed was a flash cart, regardless of anything else.
> Good way to ensure others who find similar exploits to sell them to highest bidder on darkmarkets instead as they'll be able to get way more than that.
I’m quite certain there are groups in the world who would have paid far north of $20k for the ability to copy PS4/PS5 discs that don’t need a modification or jailbreak to play.
I’m not saying that’s what should have happened, but $20k for something this severe is practically asking for that to happen.
Because a similar iPhone or Android vulnerability would be useful to state actors, APTs, and everything in between. It'd be easy to weaponize and market. Hell, you could start a career in the ethically dubious world of selling 0 days to to governments.
But what we got here is a way to pirate video games.
Weaponizing this vulnerability means someone can play bootleg video games. And to profit from bootlegging video games, you'd have to create manufacturing and distribution channels. Then you'd have to find people who want to buy games. That's a lot of work, and when you inevitably get caught you'll like face stiff fines (if not prison).
Is this vulnerability worth more than $20k to Sony? Yes. Is it worth more than $20k to the person who found the vulnerability? Only if they can monetize it, which would require breaking various and sundry laws.
> Only if they can monetize it, which would require breaking various and sundry laws.
I mean, doesn't the same restriction apply to mobile exploits? You'd be breaking some kind of law by selling the exploit off, no?
In my opinion, game piracy for latest gen consoles would be very easily monetizable. The challenge is figuring out how to make money without revealing your identity and/or basing your operations out of a more piracy-tolerant jurisdiction. Or you could sell the exploit off to someone who is willing to deal with all of this.
Distributing pirated games for hacked consoles without getting caught is not easy, as you point out yourself. This also goes for whoever you're trying to sell the exploit to it. I can't see any combination of these facts that add up to 'very easily monetizable'.
“Very easily monetizable” is referring to the fact that you will easily find people who would pay to play the latest titles (in the past: modchips, emulators, etc.).
This is especially true with PS5 thanks to the ongoing console shortage.
> $20k seems a bit low for a chain of 5 exploits that defeat the entire security model on their flagship product, but what do I know.
Especially when so many people work on sensitive work in their homes due to COVID, huge chunks of the federal government are having conversations next to hot mics as they do Tinder and the like on their "personal" devices.
Wide-scale game piracy can be very profitable in markets that aren't well-served by the console operator. You're not gonna make money selling pirate blurays in the US since you'll go straight to prison, but I can imagine PS4 owners in second or third-world countries buying a stack of pirated blurays for 20% the cost of retail and local law enforcement not being terribly interested in doing something about it.
Possibly but who is going to pay you $20k to realize these theoretical profits? They essentially mean un-networking your console, never updating it, only using physical media, likely losing your PSN account. There's a huge leap from step 1. 'an exploit exists', step N 'lots of hacked consoles and people buying pirated discs for them' and whatever step 'PROFIT' appears in. A latent market for free or cheap stuff is not the same thing as a market for this exploit.
> They essentially mean un-networking your console, never updating it, only using physical media, likely losing your PSN account.
Everything you list there is a plus in non-wealthy countries were internet access is slow and expensive. I suspect the total sales of bootleg PS2 games greatly exceeded Sony's legit sales in the global south due to the widespread availability of "chipped" PS2 consoles.
Sure, but still nobody is going to pay you $20k today for an exploit that might, just might, in a few years time, enable brisk business in the street markets of Cochabamba.
> non-wealthy countries were internet access is slow and expensive
I’m not sure many people could afford a PS5 in places such as this. And in most ‘second world’ where people have a but more money internet is generally cheap and fast especially compared so countries like US or Canada.
> I’m not sure many people could afford a PS5 in places such as this.
Why does it have to be "many"? Bootleg games have extremely high margins for the bootleggers.
That said, the PS5 is cheaper than an iPhone, and there are plenty of those. If you're bored, look up instagram pictures geolocated in the poorest cities you can think of, then count the number of recent iPhones that at least worth a new PS5. The number may surprise you.
> Interesting to see that one of the most impactful exploits is in an open source library.
WebKit is infested with vulnerabilities and it is a hackers paradise for exploitation. Probably the most exploited and targeted software component out there.
From experience managing a program, one of the benefits of HackerOne is that we can actually pay more researchers. It's surprisingly annoying to pay researchers via direct wire and other means. HackerOne is, legitimately, an amazing international payment system for this kind of thing.
Although 20k seems quite low, I think it is reasonable given the rise of game subscriptions.
Who would want to jailbreak and leave their ps5 offline to get 5$ games that won’t work once the station is updated. Where on the flip side you could pay 5-15$ Monthly (not sure of PlayStation Nows cost but that amount is for Xbox game pass) to have hundreds of games at your disposal and never have to physically acquire a new disk via black market to play a new game?
Is there a reason this wouldn’t in theory allow a full jailbreak and play of the $79 games?
PlayStations’ main unique feature are the narrative based single player exclusives. So, if you were going to get a PS5 and Xbox, it seems Xbox for multi and hacked PS5 for single seems like an excellent combo - you know - if you were the type of person that could justify that sort of thing.
Back in the day I faced the same consideration with Xbox 360. I went with the reset glitch hack and was able to have hundreds and hundreds of games all play from an HDD. Eventually the hackers got servers running and you could also play online with others. A fully jail broken ps5 would definitely be appealing.
I found an open redirect in a large American insurance company’s website and was given $200. I imagine finding 100 low hanging vulnerabilities would be a lot easier for $20,000…
SIE is a subsidiary of Sony but they're quite different. Even inside SIE the division that makes PlayStation is quite unique compared to other (first-party) game studios.
There's 2 types of people that will find these kinds of exploits. Black hat hackers that do it for the money, and white hat hackers that do it for themselves/openness.
The black hat hacker would have to be paid handsomely so that he could disclose his exploit. For these types of exploits I assume they would do something like sell you a PS5 with dozens of games included for $700, and tell you that you can load many more. That means that he only needs to sell 101 hacked PS5s to make more than the reward money, and he'll probably sell thousands of them before a copycat copies him stealing his profits or Sony patches the bug, which won't stop him completely since he'll probably have a big stock of unpatched PS5s.
The white hat hacker does it for fun or curiosity, a white hat hacker is usually an advocate for open source and probably trying to run linux on the thing is the main motivation for him to keep going. After they find something they'll release it to the public, usually with piracy enabling things off by default, but since it's all open source the pirates will find a way to use it anyway.
Sony is doing the smart thing and targeting the white hacker, they're the most likely to find these exploits anyway. If they made the reward money high enough that it would disincentivize the black hat hacker from commercializing his findings, it would instead be an incentive for people to find exploits. Lets say they pay $200k per exploit, they would no longer be paying these types of bounties once a year, but every month. I'd argue that paying millions a year to protect their system is valuable, but the fact is that they can get away with much less, hence $20k is just about the perfect amount of money for a bounty like this.
tl;dr: If they paid more they'd basically be creating and funding a market of exploit finders for little gain.
Yes? That's how bug bounties work. Companies that care about their security pay for bugs. Those that don't, don't. Sony care, but $20k for this chain of bugs is pretty poor, especially when they offer up to $50k (for criticals). I'm curious why Sony think this is a High severity and not Critical.
- theflow0 submitted a report to PlayStation. Oct 25th (8 months ago)
- PlayStation rewarded theflow0 with a $20,000 bounty. Nov 12th (7 months ago)
- shoshin_cup PlayStation staff closed the report and changed the status to Resolved. Apr 4th (3 months ago)
- theflow0 requested to disclose this report. Apr 4th (3 months ago)
- sazerac HackerOne staff agreed to disclose this report. Jun 10th (9 days ago)
I generally refuse to participate in Bug bounty programs through intermediaries like HackerOne, because they severely restrict and delay your ability to disclose. After having been denied a bug bounty for reporting a vulnerability directly, and often spent frustrating amounts of time just trying to get a response even from major companies, I've basically given up completely on bug bounty programs, and will likely go for full disclosure in the future (with a note to the corresponding security team for awareness).
For smaller issues, the bounties often don't even fairly compensate the (usually significant) effort spent communicating with the security team if you value your time at a competitive hourly rate, and payment is hit or miss. Not worth giving up your right to talk about the issues in exchange.