Submit bug report: http://www.riotgames.comPolicy
TL;DR
Any Riot services available from the Internet and any software developed by Riot Games is in scope. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. Publicly disclosing your bug without coordinating with us may lead to being ineligible for a bounty.
Policy
Keeping player data safe is a top priority for us, and we have teams across security, engineering, and player support that work to protect it. We strive to be as transparent as possible when it comes to our security efforts in order to help you stay informed and aware of when you may need to take action.
This is an invite-only program for now, so please keep your participation confidential until we’re ready to publicly announce it.
Rewards
If you’re able to help us protect our players and their data by responsibly identifying new security issues for us to fix, you are awesome and we want to reward you. Qualifying bugs will be rewarded based on severity. Our minimum reward is $250 USD. Rewards are granted entirely at the discretion of Riot. Publicly disclosing your bug without coordinating with us may lead to being ineligible for a bounty. We will judge this on a case by case basis.
Reports containing zero day vulnerabilities will be reviewed and assessed on a case by case basis, and may not follow our existing reward structure.
Vanguard Bounty Opportunity
Alongside our new game VALORANT, we have deployed our new anti-cheat solution Vanguard that leverages a kernel driver to combat cheaters more effectively. To reinforce our commitment to our players' security, we are offering special bounties for up to $100,000 for high quality reports that demonstrate practical exploits leveraging the Vanguard kernel driver.
Scope
Reports for exploits leveraging the anti-cheat kernel driver vgk.sys. For more information on Vanguard and its kernel driver, see /dev/null: Anti-Cheat Kernel Driver.
Not in Scope
Vanguard exploits that are contained in userland will be considered under our 'Standard Bounties' scope rather than the special Vanguard bounties scope.
VALORANT gameplay bugs will not be accepted in the program and should instead be submitted through player support at
https://support-valorant.riotgames.com/hc/en-us.
Evidence of cheating or cheating suites existing for VALORANT do not qualify for our program.
Vanguard Bounties
Category Subcategory Maximum Bounty
Network attack with no user interaction Code execution on the kernel level $100,000
Unauthorized access to sensitive data $75,000
Network attack requiring user interaction (1 click) Code execution on the kernel level $75,000
Unauthorized access to sensitive data $50,000
Local attack for privilege escalation Code execution on the kernel level $35,000
Unauthorized access to sensitive data $25,000
Example Scenarios
Category Example
Network attack not requiring user interaction No user interaction is required and an attacker being able to deliver exploit to the victim's machine through a network is enough to compromise the target.
Network attack requiring user interaction The user has to knowingly perform an action, such as click a malicious link for the exploit to succeed. The exploit is delivered over a network and no prior access to the victim's machine is required.
Local attack for privilege escalation You are a guest user on a system and you are able to leverage the Vanguard driver to perform system administrator level actions you wouldn't be able to otherwise.
Eligibility Requirements for Vanguard Bounties
The exploit works on the latest version of Vanguard
You must provide a working proof of concept for the exploit that can be run by Riot Games along with a detailed report
The exploit hasn’t been shared elsewhere before
The findings are not disclosed outside of this program without the explicit approval of Riot Games
The payouts outlined represent the maximum payout for each category, the actual bounty paid out depends on the impact and practicality of the exploit presented.
Hypixel Bounties
Founded in 2018 with support from an advisory group of angel investors, including Riot Games, Hypixel Studios is currently developing Hytale, a community-powered block game that combines the scope of a creative sandbox with the depth of a roleplaying game. In April 2020, Riot Games completed its acquisition of Hypixel Studios (more)
At the moment, bounties within Hypixel Studios' scope follow a different bounty structure compared to the rest of Riot Games' bounty program, which you can find in the tables below. Hypixel Studios assets are identified as such in the program's assets.
Vulnerabilities in our Infrastructure
Category Example Access to PII Access to other sensitive data / metrics Access to other production-ready applications Access to other development applications
Unrestricted machine / file system / database access SSH access to server, unsecured database Up to $5,000 $2,500 - $4,500 $2,500 - $3,500 Up to $2,500
Bypassing authentication controls Accessing internal tools without authenticating, logging in as another user Up to $3,000 $1,250 - $2,500 $1,250 - $2,000 Up to $1,500
API/CDN data leak Access to game binaries, APIs revealing sensitive information Up to $2,500 $500 - $2,500 $500 - $2,500 $250 - $2,500
Resource takeover Bucket takeover, subdomain takeover Up to $1,500 $500 - $1,000 $250 - $500 $250 - $500
## Client-Side Vulnerabilities
Category Example Bounty Range
Execute code on the client Cross-site scripting Up to $500
Information disclosure Disclosing other users’ PII or other sensitive information $250 - $1,500
Other vulnerabilities CSRF, DNS rebinding $250 - $500
Standard Bounties
Cheats & Exploits in Our Games
Category Examples You can win with 100% certainty Increases your chance of winning significantly
In-game Exploits, cheating Infinite damage, item duplication, bypassing deck restrictions, aimbot, wallhack $2,500 - $7,000 $250 - $2000
Cheat Development Methods to bypass obfuscation, debugging protection, techniques that enable reverse engineering our games $250 - $20,000
Content Acquisition Exploits
Category Examples Acquiring paid content for free (unlocking paid skins) Bypassing progression mechanics Bypassing free content quota restrictions, acquiring non-eligible promotional items
Bypassing content restrictions Lacking server side validation, exploitabale purchasing flows $750 - $5,000 $250 - $2,000 $250 - $1,000
Player Experience
Category Examples Point-and-click Arbitrary Targets Affects Players in Multiple Game Sessions Affects Players Only in Your Game Session
Non-traffic volume based Denial of Service Crashing a game server through an application vulnerability, preventing a target client from joining games $5,000 - $10,000 $1,000 - $4,000 $500 - $2,500
Vulnerabilities in Our Infrastructure
Category Examples Critical Riot infrastructure (game servers, services in the game loop, Riot accounts infrastructure) Highly Sensitive Applications (eSports, main game websites Integrated Applications (connected to other Riot systems but do not control sensitive actions or data themselves) Non-integrated applications (self-contained, not connected to other Riot systems)
Remote Code Execution Command injection, Deserialization Vulnerabilities $10,000 - $31,337 $5,000 - $15,000 $2,000 - $7,500 $1,000 - $5,000
Filesystem or database access Missing access controls, Misconfigured ACLs, SQL Injection, XXE, path traversal $5,000 - $25,000 $3,000 - $10,000 $1,000 - $5,000 $500 - $2,000
Logic flaw bugs leaking or bypassing significant security controls PII disclosure, Mass assignment, IDOR, SSRF $1,000 - $10,000 $1,000 - $5,000 $500 - $2,000 $250 - $1,000
Resource Takeover Bucket takeover, subdomain takeover $4,000 $1,000 - $4,000 $250 - $1,000 $250 - $500
Client-Side Vulnerabilities in Our Products
Category Examples Game clients (PC/MacOS) & Vanguard client (see the Vanguard driver section for exploits with kernel level impact) Game clients (Mobile) Sensitive and Integrated Web Applications (connected to other Riot systems) Non-integrated Web Applications (not connected to other Riot systems)
Execute Code on the Client RCE, Cross-Site Scripting $5,000 - $25,000 $5,000 $1,500 $500
Information Disclosure Disclosing other player’s IP address, login name or other sensitive information (payout based on sensitivity of information) $750 - $7,500 $500 - $5,000 $250 - $2,500 $250 - $1,500
Other Vulnerabilities CSRF, DNS rebinding $500 - $4,000 $500 - $4,000 $250 - $1,000 $250 - $500
Applications in Scope
Any Riot services available from the Internet and any software developed by Riot Games. This includes all of our web applications as well as all of the games we release. In an effort to start building trending analytics we have included some assets in the Structured Scope Section and ask that if you find a vulnerability on one of our assets you include the asset in the report.
As we start to see success from the data we will build it out further.
If Riot has to implement a code change to fix the security bug, it most likely qualifies for a bounty.
Find a security vulnerability? Send it our way so we can get on it. This might include:
Other security concerns (e.g. infrastructure security problems, information disclosure issues, memory corruption)
Web security problems (e.g. cross-site scripting and SQL injection problems)
Game exploits (e.g. insta-win bugs or third party game modifications)
Acquisitions are typically in the scope of this program. We may reward anything with significant impact across our entire security posture, so we encourage you to report such bugs via this program.
For more detailed information about our scope, see the 'Scopes' section at the bottom of the page.
Applications Not in Scope
Bugs that are not in Riot Games owned software, such as our Player Support portal provider - Zendesk or our Developer Portal community - Answerhub, should be reported to the organisations behind those products. You may find help at the HackerOne Disclosure Assistance page
Bugs in the Garena domain are out of scope. Garena is a partner of ours, but they are a completely separate company and manage their own assets and infrastructure. Please reach out to them through security@garena.com.
Bugs in the Tencent domain are out of scope. Tencent is a partner of ours, but they are a completely separate company and manage their own assets and infrastructure. Please reach out to them through
https://hackerone.com/tencentFor other issues with your account, head over to the Player Support page.
Pro-Tips for Scoring A Bounty
Reports that are more likely to qualify for a bounty have:
Easy-to-follow reproduction steps
Bug Titles that specify the scope of the vulnerability
Clear details about how the vulnerability can be directly leveraged as part of an exploit against players or Riot
If you need to test a potential bug inside a game of League of Legends, please take care to minimize the impact to other players by using custom games and the public beta environment.
Examples of bug types that commonly qualify for a bounty include XSS, SQL injection, authorization issues, gameplay exploits and the like
Do not access or modify our data or our players’ data, without explicit permission of the owner. Only interact with your own accounts or test accounts for security research purposes;
Contact us immediately if you do inadvertently encounter player data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Riot Games;
Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service).
Out-of-scope Vulnerabilities
The following issues are outside the scope of our rewards program:
Issues related to networking protocols or industry standards not controlled by Riot.
Any vulnerability requiring a browser with deliberately weakened security features, for example re-enabling Flash (.swf).
Any vulnerability requiring deliberately weakened, non-standard operating system or other configurations
Any individual on, or residing in any country on, any U.S. sanction lists (due to laws that prohibit payments under these circumstances)
Password, email and account policies, such as email id verification, reset link expiration, password complexity.
Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token).
Login/logout CSRF.
Attacks requiring physical access to a player’s device, such as DLL hijacking;
Missing security headers which do not lead directly to a vulnerability.
Missing best practices (we require evidence of a security vulnerability).
Self-XSS (we require evidence on how the XSS can be used to attack another Player or Rioter).
Use of a known-vulnerable library without evidence of exploitability.
Reports of spam (i.e., any report involving ability to send emails without rate limits).
Content spoofing vulnerabilities (where you can only inject text or an image into a page) are out of scope. We will accept and resolve a spoofing vulnerability where attacker can inject image or rich text (HTML), but it is not eligible for a bounty. Pure text injection is out of scope.
Absence of rate limiting, unless related to authentication.
The following issues are outside the scope of our rewards program, and are not considered “authorized” conduct under the Computer Fraud and Abuse Act:
Physical attacks against Riot offices and data centers.
Social engineering of Rioters, our service desk, or contractors.
Any vulnerability obtained through the compromise of a Rioter or player account: if you need to test a vulnerability, create another account; don’t take someone else’s. This type of activity will result in disqualification from the program permanently
Any vulnerability found through the use of a botnet, compromised site, or a DDoS Cannon (any tool that generates a significant volume of traffic)
Disrupting or negatively impacting non-consenting players will disqualify your submission
Consequences of Complying with This Policy
We will not pursue civil action or initiate a complaint to law enforcement for violations of this policy that we, in our sole discretion, determine are accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.
If legal action is initiated by a third party against you and you have complied with Riot Games’ bug bounty policy, Riot Games will take steps to make it known that your actions were conducted in compliance with this policy.
Please submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.
The Fine Print
You are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. Reports from individuals who we are prohibited by law from paying are ineligible for rewards. Current & former Riot Games employees and their family members are not eligible for bounties.
In order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, Riot Games reserves no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.
Policy:
http://www.riotgames.com/security-vulnerability-reporting.
