Connect with us

Hi, what are you looking for?



‘League of Legends’ Creators Unveil Details of Bug Bounty Program

Riot Games, the developer of the popular multiplayer online game League of Legends, has shared some details on its bug bounty program.

Riot Games, the developer of the popular multiplayer online game League of Legends, has shared some details on its bug bounty program.

The program, powered by the HackerOne platform, was launched in April 2013, but it has been open only to a few security researchers who have helped the company address a total of 75 bugs, exploits and vulnerabilities. So far, Riot Games has rewarded participants with a total of more than $100,000.

The list of vulnerabilities reported until now includes client crash exploits, vision related exploits, and flaws that could potentially be leveraged to impersonate players on forums, the company said.

The bug bounty program covers all Riot services accessible from the Internet and any software developed by the company. The list of eligible issues includes Web vulnerabilities such as cross-site scripting (XSS) and SQL injection, game exploits, and other flaws related to infrastructure security, information disclosure and memory corruption.

Researchers who report vulnerabilities are rewarded based on the severity of the bug. The minimum bounty has been set by the company at $100.

Physical attacks, social engineering of employees and contractors, and issues related to components that Riot has no control over are out of scope.

Riot Games decided to launch a bug bounty program after Jamieson O’Reilly, a 24-year-old Australian researcher, found a vulnerability that could have been exploited to steal League of Legends players’ identities on forums and impersonate them. The flaw could not be used to hijack accounts, but it could have led to phishing scams.

Advertisement. Scroll to continue reading.

Since the company didn’t have a bug bounty program or a special email address for security-related issues, O’Reilly reported his findings via an address for general inquiries. It took a week for the researcher’s report to reach the Riot security team. That’s when the company realized that a more efficient system was needed.

“No software connected to the internet can be considered 100% secure. We know that smart people all over the world poke at our software, websites, and infrastructure, looking for weaknesses. Some will successfully find security vulnerabilities. When this happens, it’s critical that we become aware of the vulnerability ASAP so that we can fix it before it’s widely abused,” Riot Games said in a blog post on Friday.

Since the launch of the bug bounty program, researchers have reported multiple serious vulnerabilities that could have been exploited against players and the company’s services. Riot Games says it’s still not prepared to open the program to all researchers, but the company advises those who identify bugs to send an email to its security team at [email protected].

“Before we can expand the program, we need to get aligned on a foundational workflow that allows our security team to efficiently handle every report from the field and turn them into bugs that development teams will own. The real measure of the bounty program’s effectiveness is if Riot can earn the trust of the security research community and if players feel like Riot is serious about improving security,” the company said.

Organizations are increasingly realizing that bug bounty programs can be highly efficient for addressing security issues. The list of companies that have launched programs over the past months includes Pinterest, Twitter and Blackphone.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.