Riot Games
External Program
Submit bugs directly to this organization
Riot Games
Any Riot services available from the Internet and any software developed by Riot Games is in scope. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. Publicly disclosing your bug without coordinating with us may lead to being ineligible for a bounty.
Keeping player data safe is a top priority for us, and we have teams across security, engineering, and player support that work to protect it. We strive to be as transparent as possible when it comes to our security efforts in order to help you stay informed and aware of when you may need to take action. This is an invite-only program for now, so please keep your participation confidential until we’re ready to publicly announce it.
If you’re able to help us protect our players and their data by responsibly identifying new security issues for us to fix, you are awesome and we want to reward you. Qualifying bugs will be rewarded based on severity. Our minimum reward is $50 USD. Rewards are granted entirely at the discretion of Riot. Publicly disclosing your bug without coordinating with us may lead to being ineligible for a bounty. We will judge this on a case by case basis.
Reports containing zero day vulnerabilities will be reviewed and assessed on a case by case basis, and may not follow our existing reward structure.
If we need you to undertake significant retesting as part of verification of a fix or mitigation, we will use the retesting feature of the hacker one platform to compensate you for your time. Our retesting rate is $50-100 depending on complexity. This will only be paid out if the Riot team initiates a retest using the platform retest feature.
We may occasionally ask you for simple verification on whether an asset is still accessible, eg: can you still access a specific URL. These sorts of simple verification will not be eligible for the retest feature.
This category is for vulnerabilities that specifically target in game session denial of service. Denial of service targeting around game experiences (rewards, progression, etc.) or preventing players from initiating a game are not in scope for this category and will be considered under the 'Standard Bounties' scope.
| Category | Examples | Point-and-click Arbitrary Targets | Affects Players in Multiple Game Sessions | Affects Players Only in Your Game Session |
|---|---|---|---|---|
| Non-traffic volume based Denial of Service | Crashing a game server through an application vulnerability, preventing a target client from joining games | $5,000 - $10,000 | $1,000 - $4,000 | $500 - $2,500 |
| DDoS that can identify and target individual players | An exploit (or chain of exploits) leading to connecting a player’s IP address to their Riot ID without being in-game or in-game friends with them | Up to $100,000 | Up to $100,000 | Up to $100,000 |
| Targeted In Game Session Disconnection | An exploit (or chain of exploits) leading to disconnecting an arbitrary target player from a game session | Up to $100,000 | Up to $100,000 | Up to $100,000 |
Alongside our new game VALORANT, we have deployed our new anti-cheat solution Vanguard that leverages a kernel driver to combat cheaters more effectively. To reinforce our commitment to our players' security, we are offering special bounties for up to $100,000 for high quality reports that demonstrate practical exploits leveraging the Vanguard kernel driver.
Reports for exploits leveraging the anti-cheat kernel driver vgk.sys. For more information on Vanguard and its kernel driver, see /dev/null: Anti-Cheat Kernel Driver.
Vanguard exploits that are contained in userland will be considered under our 'Standard Bounties' scope rather than the special Vanguard bounties scope.
VALORANT gameplay bugs will not be accepted in the program and should instead be submitted through player support at https://support-valorant.riotgames.com/hc/en-us. Evidence of cheating or cheating suites existing for VALORANT do not qualify for our program.
| Category | Subcategory | Maximum Bounty |
|---|---|---|
| Network attack with no user interaction | Code execution on the kernel level | $100,000 |
| Unauthorized access to sensitive data | $75,000 | |
| Network attack requiring user interaction (1 click) | Code execution on the kernel level | $75,000 |
| Unauthorized access to sensitive data | $50,000 | |
| Local attack for privilege escalation | Code execution on the kernel level | $35,000 |
| Unauthorized access to sensitive data | $25,000 |
| Category | Example |
|---|---|
| Network attack not requiring user interaction | No user interaction is required and an attacker being able to deliver exploit to the victim's machine through a network is enough to compromise the target. |
| Network attack requiring user interaction | The user has to knowingly perform an action, such as click a malicious link for the exploit to succeed. The exploit is delivered over a network and no prior access to the victim's machine is required. |
| Local attack for privilege escalation | You are a guest user on a system and you are able to leverage the Vanguard driver to perform system administrator level actions you wouldn't be able to otherwise. |
The payouts outlined represent the maximum payout for each category, the actual bounty paid out depends on the impact and practicality of the exploit presented.
The Hypixel Bounty program has been discontinued. The assets that were previously in scope have been removed from the program.
We may still accept reports for Hytale assets that have failed to be decommissioned however this will not include subdomain takeover, cache denial of service or other vulnerabilities that do not result in information disclosure or other significant impact.
| Category | Examples | You can win with 100% certainty | Increases your chance of winning significantly |
|---|---|---|---|
| In-game Exploits, cheating | Infinite damage, item duplication, bypassing deck restrictions, aimbot, wallhack | $2,500 - $7,000 | $250 - $2000 |
| Cheat Development | Methods to bypass obfuscation, debugging protection, techniques that enable reverse engineering our games | $250 - $20,000 |
| Category | Examples | Acquiring paid content for free (unlocking paid skins) | Bypassing progression mechanics | Bypassing free content quota restrictions, acquiring non-eligible promotional items |
|---|---|---|---|---|
| Bypassing content restrictions | Lacking server side validation, exploitabale purchasing flows | $750 - $5,000 | $250 - $2,000 | $250 - $1,000 |
| Category | Examples | Critical Riot infrastructure (game servers, services in the game loop, Riot accounts infrastructure) | Highly Sensitive Applications (Global eSports, main game websites | Integrated Applications (connected to other Riot systems but do not control sensitive actions or data themselves) | Non-integrated applications (regional eSports, self-contained, not connected to other Riot systems) |
|---|---|---|---|---|---|
| Remote Code Execution | Command injection, Deserialization Vulnerabilities | $10,000 - $31,337 | $5,000 - $15,000 | $2,000 - $7,500 | $1,000 - $5,000 |
| Filesystem or database access | Missing access controls, Misconfigured ACLs, SQL Injection, XXE, path traversal | $5,000 - $25,000 | $3,000 - $10,000 | $1,000 - $5,000 | $500 - $2,000 |
| Logic flaw bugs leaking or bypassing significant security controls | PII disclosure, Mass assignment, IDOR, SSRF | $1,000 - $10,000 | $1,000 - $5,000 | $500 - $2,000 | $250 - $1,000 |
| Resource Takeover or Denial of Service | Bucket takeover, subdomain takeover, Cache DOS | $4,000 | $1,000 - $4,000 | $250 - $1,000 | $250 - $500 |
| Category | Examples | Game clients (PC/MacOS) & Vanguard client (see the Vanguard driver section for exploits with kernel level impact) | Game clients (Mobile) | Sensitive and Integrated Web Applications (connected to other Riot systems) | Non-integrated Web Applications (not connected to other Riot systems) |
|---|---|---|---|---|---|
| Execute Code on the Client | RCE, Cross-Site Scripting | $5,000 - $25,000 | $5,000 | $1,500 | $500 |
| Information Disclosure | Disclosing other player’s IP address, login name or other sensitive information (payout based on sensitivity of information) | $750 - $7,500 | $500 - $5,000 | $250 - $2,500 | $250 - $1,500 |
| Other Vulnerabilities | CSRF, DNS rebinding | $500 - $4,000 | $500 - $4,000 | $250 - $1,000 | $250 - $500 |
| Category | Examples | Range |
|---|---|---|
| Active Social Account Takeover | Compromise of an actively used Riot owned social media account | $50 - $500 |
| Broken Link Hijacking | Takeover of broken link referenced on official Riot Games Website | $50 |
Any Riot services available from the Internet and any software developed by Riot Games. This includes all of our web applications as well as all of the games we release. In an effort to start building trending analytics we have included some assets in the Structured Scope Section and ask that if you find a vulnerability on one of our assets you include the asset in the report.
As we start to see success from the data we will build it out further.
If Riot has to implement a code change to fix the security bug, it most likely qualifies for a bounty.
Find a security vulnerability? Send it our way so we can get on it. This might include:
Acquisitions are typically in the scope of this program. We may reward anything with significant impact across our entire security posture, so we encourage you to report such bugs via this program.
For more detailed information about our scope, see the 'Scopes' section at the bottom of the page.
For other issues with your account, head over to the Player Support page.
Reports that are more likely to qualify for a bounty have:
The following issues are outside the scope of our rewards program:
The following issues are outside the scope of our rewards program, and are not considered “authorized” conduct under the Computer Fraud and Abuse Act:
The following conduct may disqualify your report from receiving a bounty and result in a ban from the program or escalation to HackerOne:
We will not pursue civil action or initiate a complaint to law enforcement for violations of this policy that we, in our sole discretion, determine are accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope. If legal action is initiated by a third party against you and you have complied with Riot Games’ bug bounty policy, Riot Games will take steps to make it known that your actions were conducted in compliance with this policy.
Please submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.
You are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. Reports from individuals who we are prohibited by law from paying are ineligible for rewards. Current & former Riot Games employees and their family members are not eligible for bounties.
In order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, Riot Games reserves no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.