Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

‘League of Legends’ Creators Unveil Details of Bug Bounty Program

Riot Games, the developer of the popular multiplayer online game League of Legends, has shared some details on its bug bounty program.

Riot Games, the developer of the popular multiplayer online game League of Legends, has shared some details on its bug bounty program.

The program, powered by the HackerOne platform, was launched in April 2013, but it has been open only to a few security researchers who have helped the company address a total of 75 bugs, exploits and vulnerabilities. So far, Riot Games has rewarded participants with a total of more than $100,000.

The list of vulnerabilities reported until now includes client crash exploits, vision related exploits, and flaws that could potentially be leveraged to impersonate players on forums, the company said.

The bug bounty program covers all Riot services accessible from the Internet and any software developed by the company. The list of eligible issues includes Web vulnerabilities such as cross-site scripting (XSS) and SQL injection, game exploits, and other flaws related to infrastructure security, information disclosure and memory corruption.

Researchers who report vulnerabilities are rewarded based on the severity of the bug. The minimum bounty has been set by the company at $100.

Physical attacks, social engineering of employees and contractors, and issues related to components that Riot has no control over are out of scope.

Riot Games decided to launch a bug bounty program after Jamieson O’Reilly, a 24-year-old Australian researcher, found a vulnerability that could have been exploited to steal League of Legends players’ identities on forums and impersonate them. The flaw could not be used to hijack accounts, but it could have led to phishing scams.

Since the company didn’t have a bug bounty program or a special email address for security-related issues, O’Reilly reported his findings via an address for general inquiries. It took a week for the researcher’s report to reach the Riot security team. That’s when the company realized that a more efficient system was needed.

“No software connected to the internet can be considered 100% secure. We know that smart people all over the world poke at our software, websites, and infrastructure, looking for weaknesses. Some will successfully find security vulnerabilities. When this happens, it’s critical that we become aware of the vulnerability ASAP so that we can fix it before it’s widely abused,” Riot Games said in a blog post on Friday.

Since the launch of the bug bounty program, researchers have reported multiple serious vulnerabilities that could have been exploited against players and the company’s services. Riot Games says it’s still not prepared to open the program to all researchers, but the company advises those who identify bugs to send an email to its security team at [email protected].

“Before we can expand the program, we need to get aligned on a foundational workflow that allows our security team to efficiently handle every report from the field and turn them into bugs that development teams will own. The real measure of the bounty program’s effectiveness is if Riot can earn the trust of the security research community and if players feel like Riot is serious about improving security,” the company said.

Organizations are increasingly realizing that bug bounty programs can be highly efficient for addressing security issues. The list of companies that have launched programs over the past months includes Pinterest, Twitter and Blackphone.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.