Reporting A Security Vulnerability

Players and the security research community help us quickly repair security problems by reporting vulnerabilities.

We invite researchers who successfully identify new and particularly severe security issues to Riot’s private bug bounty program on HackerOne, where we reward issue discoveries with bounty payouts.

To report a security issue, shoot us an email at bugbounty@riotgames.com. Please refrain from contacting members of the Riot Games team directly about reports in our Bug Bounty program. We adhere to a platform mediation process on Hacker One, this is the only appropriate forum for escalations. Failure to adhere to these guidelines may disqualify a report from receiving a bounty.

If we can validate that the reported issue qualifies for a bounty, we’ll triage it and keep you up to date about the progress towards resolution.

We welcome reports of all security vulnerabilities, including:

• Web security problems (e.g. cross-site scripting and SQL injection problems)

• Certain game exploits (e.g. insta-win bugs or disclosure of player information through the game)

• Other security concerns (e.g. infrastructure security problems, information disclosure issues)

Scope

Any Riot services available from the internet and any software developed by Riot Games. This includes our web applications, servers, and all of our game(s).

If Riot has to implement a code change to fix the security bug, it most likely qualifies for a bounty.

Our most up to date scope is listed on our HackerOne page.

For other issues with your account, head over to the Player Support page.