Security Experts:

'League of Legends' Creators Unveil Details of Bug Bounty Program

Riot Games, the developer of the popular multiplayer online game League of Legends, has shared some details on its bug bounty program.

The program, powered by the HackerOne platform, was launched in April 2013, but it has been open only to a few security researchers who have helped the company address a total of 75 bugs, exploits and vulnerabilities. So far, Riot Games has rewarded participants with a total of more than $100,000.

The list of vulnerabilities reported until now includes client crash exploits, vision related exploits, and flaws that could potentially be leveraged to impersonate players on forums, the company said.

The bug bounty program covers all Riot services accessible from the Internet and any software developed by the company. The list of eligible issues includes Web vulnerabilities such as cross-site scripting (XSS) and SQL injection, game exploits, and other flaws related to infrastructure security, information disclosure and memory corruption.

Researchers who report vulnerabilities are rewarded based on the severity of the bug. The minimum bounty has been set by the company at $100.

Physical attacks, social engineering of employees and contractors, and issues related to components that Riot has no control over are out of scope.

Riot Games decided to launch a bug bounty program after Jamieson O’Reilly, a 24-year-old Australian researcher, found a vulnerability that could have been exploited to steal League of Legends players' identities on forums and impersonate them. The flaw could not be used to hijack accounts, but it could have led to phishing scams.

Since the company didn't have a bug bounty program or a special email address for security-related issues, O'Reilly reported his findings via an address for general inquiries. It took a week for the researcher's report to reach the Riot security team. That's when the company realized that a more efficient system was needed.

"No software connected to the internet can be considered 100% secure. We know that smart people all over the world poke at our software, websites, and infrastructure, looking for weaknesses. Some will successfully find security vulnerabilities. When this happens, it’s critical that we become aware of the vulnerability ASAP so that we can fix it before it’s widely abused," Riot Games said in a blog post on Friday.

Since the launch of the bug bounty program, researchers have reported multiple serious vulnerabilities that could have been exploited against players and the company's services. Riot Games says it's still not prepared to open the program to all researchers, but the company advises those who identify bugs to send an email to its security team at [email protected].

"Before we can expand the program, we need to get aligned on a foundational workflow that allows our security team to efficiently handle every report from the field and turn them into bugs that development teams will own. The real measure of the bounty program’s effectiveness is if Riot can earn the trust of the security research community and if players feel like Riot is serious about improving security," the company said.

Organizations are increasingly realizing that bug bounty programs can be highly efficient for addressing security issues. The list of companies that have launched programs over the past months includes Pinterest, Twitter and Blackphone.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.