Security Vulnerability Reporting

Players and the security research community help us quickly repair security problems by reporting vulnerabilities and putting them on our radar.

To report a security issue, just shoot us an email at SOC@riotgames.com (PGP key available at the bottom of this page).

We welcome reports of all security vulnerabilities, including:

  • Web security problems (e.g. cross-site scripting and SQL injection problems)
  • Game exploits (e.g. insta-win bugs or third party game modifications)
  • Other security concerns (e.g. infrastructure security problems, information disclosure issues)

We are also currently running a closed-beta bounty program hosted on HackerOne to reward security researchers. Researchers who successfully identify and report particularly severe security issues will receive an appropriate bounty and an invite to access this program.

Pro-Tips for Scoring A Bounty

Reports that are more likely to qualify for a bounty have:

  • Easy-to-follow reproduction steps
  • Bug descriptions that specify the scope of the vulnerability
  • Clear details about how the vulnerability can be directly leveraged as part of an exploit against players or Riot
  • Examples of bug types that commonly qualify for a bounty include XSS, CSRF, SQL injection, authorization issues, gameplay exploits and the like

Reports that are less likely to qualify for a bounty (unless you found a cool way to exploit one of these):

  • Leverage automated scanners without a narrow scoping or throttled request rate that creates disruptive results like degraded service or publicly visible spam on our community discussion boards/forums

  • Missing HTTP Headers such as X-Content-Type, X-Frame-Options and X-XSS-Protection

  • Presence of banner or version information in HTTP responses

  • Logout CSRF vulnerabilities

  • Expected behavior which a researcher might deem to be insecure such as reCAPTCHA accepting an incorrect word

  • Vulnerabilities in third party applications which make use of Riot Games APIs

  • Flaws specific to out-of-date browsers/plugins

  • Lack of the Secure and HTTPOnly flags on non-sensitive cookies

  • Clickjacking on pages without authentication or sensitive state changes

  • Error messages void of sensitive data

  • Self-XSS scenarios that would require additional user interaction, including the user manually inputting the XSS payload

  • League of Legends gameplay bugs

For other issues with your account, head over to the Player Support page.

 

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFcCnb4BCADP980Gl4wY1aJBSesbrX9qIC+SZYLdUC8ay5FbRhrjoKGtq8wC
fEw1NLgdvAsBkHP5ZdcNuCogaZccr6+ttXeIasEE7tHVxsR4II60GIRuzNrd06pj
/BU9FKD1SBmSRT8z18PBhfVeUft0Yn4kTwodubb7emhhpbtnGCZrGcJWbRYGfzMu
iWxEac9PmF8BQCk7CTEjNZ/mcXhBoR/VBsSzVuFn1s/9OMeM4/ju7aIRxDelE+sh
40cHJFrognAV6ozdlSvqv7Pvk6TnLOcI9XKfWcVAkWUWwzCft5ANPgZnLj1TdiUa
0yIvaA9yqExtqGiehzAvQ29XbycFywFfztm3ABEBAAG0H1NPQyBNYWlsYm94IDxz
b2NAcmlvdGdhbWVzLmNvbT6JATcEEwEKACEFAlcCnb4CGwMFCwkIBwMFFQoJCAsF
FgIDAQACHgECF4AACgkQMABWOOqoMB0MwQf+O4SJVTv+G1sGE71rSRnjV817Q5AU
4NAdiVXIC1yf3srzsslV4WkY0jG2CjU5JTy5IyV45kfaECguE/XCcOlCJbckNpXJ
ChaJO4n45Z/7EKypJ50N6VC08DPFvULMuIq+9AsRnlq+uyUuHF/NfadPrUakfKlv
D2hSZMTgiJippbH72SiHgO6uJB6yRLPiqPn/hnlPV/x447O5eRgqBzxX/9jlPP9i
NhWNyCqBUdXSIlAUyA4RIqziCQdY9oJmHKexUSFK0SJpV+jmZ6HuRRYqYF5I6LLH
INrLBCjSMUj48liCeZTCFtUKLGP+pW6jBGEH+vtF9ckes06baAcj/gBIe7kBDQRX
Ap2+AQgArox7myrF8ShkFC+MfGkaFWDpsJUrHpTyq052+eyTHgtSkyApQVkI8itu
Ied++u3W61Wg151JN/RktBBogapy8GC33Dj+T3weRQ18KNjPcVdwJxVOsV1g6t3/
VS0CzkWYsLXcBpQX3lDOBRCBPLIaHbBoxAIw5tdXEUxE7wyFGABP7a19mbJiQara
knyDSfR1mUMtoLjgcn8/BN1RGtRSdAz2WuvIYkJ/x9na4Os95K9zlCHa6kvx/1tW
fpazxWBJ6jtF05Gib9GCHSLNbjymhS2IrdTj0RKljJWVyVroal9+anvY0YLQY3Of
AC2DpexmYPbtNvZMViOzXi6sz88SWQARAQABiQEfBBgBCgAJBQJXAp2+AhsMAAoJ
EDAAVjjqqDAdk1QIALb8h5rzSJmcM9pt2P8aOqP/zixd91O9YPuy5+cJMGBwYAQF
MsByAmCUZ6qJ+/zcOjPvLNGfvjoa12jHPJZ2B1PhuTV0CtwT6OGWBwJd9xHxH9rr
ueo6Xs+z8FFIMR+l77odlNiXiIwF5j13YZlB9YjFbXOcogxj+Tas6rVwfyfKKB7p
8MyAfyHooSCydyzJCc8TZfJebNWeb0Y9fxEZv37oQ7j+WqJVyfSW4Lh/8qgxDzUy
DaE557iaHyOrI/Qe52986PBd1mvodYrPv8xbsF0JTro11oYvHh4JzPl0MGCY8Flb
LNKb4d2XMOQIuhclWfpVRyf9oCpL+YY2aXiBTEg=
=8npV
-----END PGP PUBLIC KEY BLOCK-----