There it was, a vulnerability that a Rioter had missed, an obscure weak point on the League of Legends website. With enough savvy, a malicious hacker could steal another player's identity on forums and make posts to impersonate them. We're not talking full-blown identity theft or account hijacking, but a pretty serious vulnerability nonetheless. And definitely something we should fix as soon as possible.
It was 2pm in Sydney, Australia and 24-year old security researcher, Jamieson O’Reilly was stewing over this discovery. This vulnerability could’ve led to a number of phishing scams and an overall terrible experience. As a League player and researcher, curiosity and challenge inspired him to test his know-how against Riot’s network and websites.
“To be honest, what attracted me to test Riot was that I looked everywhere for Riot’s vulnerabilities and since there were none, it was more of a challenge to me as a security researcher to be one of the first to find something,” said O’Reilly.
With nowhere to go, he submitted his findings through the only channel available to him, Riot’s info@ inbox, an email designed to be a catch-all for general questions about Riot and what we’re up to. A week later….it finally reached a person in Riot’s security team who could address the problem. We knew this needed to be better.
The first step was admitting we had a problem
No software connected to the internet can be considered 100% secure. We know that smart people all over the world poke at our software, websites, and infrastructure, looking for weaknesses. Some will successfully find security vulnerabilities. When this happens, it’s critical that we become aware of the vulnerability ASAP so that we can fix it before it’s widely abused.
The people who find these flaws make up a diverse community whose motivations range from curiosity to malicious intent, and everything in between. Unfortunately, there was no efficient way for the good guys to to report security bugs. Nor was there a clear incentive to do so.
If we’re not listening, it can frustrate researchers with good intentions and lead them to post their exploits online in order to get our attention. That’s not great for the researcher and could cause confusion and pain for players.
To solve this, we've spent the last year testing a publicly accessible bounty program that provides an official channel for security bug reports, and a mechanism to reward researchers who responsibly share important security issues we haven’t identified.
Currently in closed beta, The Riot Bug Bounty program is only available to a few security professionals who we’ve already identified. These professionals have helped us squish more than 75 bugs, vulnerabilities, and exploits, including client crash exploits, vision related exploits, and vulnerabilities that could potentially lead to player impersonation on forums.
“Other companies will just take the findings and the rest is history. Riot took a unique approach in maintaining a dialogue directly with me,” said O’Reilly. “This is an invaluable opportunity to me as a security researcher and is worth more than any amount of bounty payout."
While collaboration and insight is a motivation for some, cold hard cash is still a pretty great reward. Since the beta program’s initial kickoff in April 2013, more than $100,000 has been paid out to the small fellowship of invited participants.
We’re not ready to open the program to all security researchers and enthusiasts, but we hope to share more details soon™.
How it’ll work
When researchers stumble across a new and severe security issue, they can visit our HackerOne page to submit their finding, potentially in exchange for cash and cred. We set the rules of the program (e.g. don’t test exploits on other players or their account) and guidelines for what kinds of issues qualify for a bounty. Developing your own exploits to report is ok as long as players don’t suffer and the disclosure’s coordinated with us. Anything you do that’d get you banned in game or is a crime in real life is serious business and will probably affect our ability to work with you.
We knew that running a program like this would be complex and poor communication or slow payments can kill trust, which in turn kills a bounty program, so working with an experienced partner like HackerOne to coordinate communication and payouts made sense.
The bugs we’ve squished together
Since the start of this program, we’ve validated a number of very serious submissions that had the potential to cause a lot of harm to players and our service.
One researcher found a way to abuse the old chat invite system to crash any recipient’s game client. This could prevent streamers from playing LoL, or prevent players from picking their champions during Champ Select. This would also force dodge penalties and LP loss in ranked games against their target. Pretty evil.
Riot was able to deliver the bounty payments to this researcher within 24 hours of validating the fixes.
Before we can expand the program, we need to get aligned on a foundational workflow that allows our security team to efficiently handle every report from the field and turn them into bugs that development teams will own. The real measure of the bounty program’s effectiveness is if Riot can earn the trust of the security research community and if players feel like Riot is serious about improving security. Thanks to passionate security pros like Jamieson O’Reilly and others, we’re finding and fixing weak points in our nexus. We look forward to the day the entire community can join the hunt. In the meantime if you are aware of any critical security issues that we should be aware of, reach out to our security team at firstname.lastname@example.org.
Stay tuned to RiotGames.com for more information on the Bug Bounty Program and feel free to check out our gigs if you want to fight the good fight with us full-time.
p.s. thx for the the awesome art RogueHawk