We’ve seen a wide range of security vulnerabilities at Riot, from simple information disclosure issues to deep-rooted exploits scarier than a level-three bot-lane fiesta. One of our top researchers found that an internal-only version of our forums had somehow become open to everyone. This by itself was a nice find, but after digging through the forum posts the researcher found an invitation link to join Riot’s HipChat, an internal chat tool we used in the past. The post including the invitation link was actually two years old, but, as we soon discovered, such invitation links never expired. We found that by using the invitation link we could join the HipChat organisation and use any name and email address we wanted. Uh oh.
We could’ve pretended to be a trusted Rioter (and did just that during our investigation) and potentially push Rioters to share their finest memes and cat gifs with us, or far worse. A HipChat invitation that never expired was obviously far from ideal and by itself wasn’t the end of the world, but the potential for information leakage posed a colossal problem. Ultimately the root cause was a change to an access control list that unknowingly opened up access to the internal board.
We set up our bug bounty program to discover vulnerabilities like these, and we paid one of our largest-ever bounty payouts for this submission. The incident reminded us that small security issues can be chained together to create a much bigger problem when a highly skilled attacker is behind the keyboard. Situations like this have led us to crossing the $1 million mark in bounties paid out to researchers. Thanks to the program and the talented researchers that take part in it, our products are more secure than ever before.
To protect League, players and Rioters, we ensure every app we produce, every bit of code we write has been meticulously checked to ensure it’s bulletproof to those who would attempt to breach it. If a hacker can crack our work we’ll pay them (a lot).
Our Application Security team in Dublin leads the charge via its bug bounty program, and the team helps Rioters write secure code to keep attackers at bay. It’s one of the unique teams in a regional Riot office that’s not just focused on one isolated region; they work with all of our teams around the world to secure their code and keep it free from vulnerabilities, whether it’s a mobile app for Russian universities for our Moscow office or an R&D team trying to put the “s” in Riot Games.
David “P0w3rN1nja” Rook, product lead of AppSec, likens security at Riot to warding in League. “If you're going into a bush blind,” Rook says, “you don't know what's going to happen. We see that as similar to security; if we don't know about these security problems, then malicious people can exploit them and attack players. We’d always be reactive, panicked, and we’d rarely make the right decisions. Researchers, by finding these exploits, are placing wards for us.”
One of the best ways to test the resilience of our security shield is to hire hackers to be a warhammer, constantly beating at it looking for a crack.Working with some of the most skilled hackers has a bunch of challenges to overcome, including location issues, or even the simple fact that these hackers don’t want a public record of reporting bugs to Riot and being paid by us. It’s worth it for us to work past these because we want to give people an avenue to report bugs, vulnerabilities and exploits to us and be justly rewarded for their efforts.
Relationships thrive on respect; we want top researchers to break our code open, so we need to respect them and treat them like partners. With that in mind, we created our bug bounty manifesto:
1. Fight together, not with each other
Researchers will break things and test limits—it’s what they’re great at. We should help them understand our rules and limits instead of automatically resorting to the ban hammer.
2. Make researchers feel like part of the team
We want researchers to feel like they’re part of the Riot InfoSec team and care about helping us level up the security of our products.
3. KISS (Keep It Simple, Stupid) when it comes to program scope
Our scope should be simple and easily communicated. If an issue could affect a player, it’s in scope.
4. Value researchers’ time and reward them well
We never want a researcher to feel like it’s not worth their time to find vulnerabilities. Our minimum payouts make it worthwhile for researchers to give their time, and our average payouts reward the best researchers in the world for their unique skills and time.
5. Build a world-class program to attract the best researchers
We want to be the most researcher-focused program in the world. Our researchers should have a positive and rewarding experience when working with Riot.
Point four is particularly important to us—it’s something we’ve aimed to show through the compensation we pay out to researchers. The minimum payout in a lot of similar programs was as low as $50, and we saw that as a big issue; if we want Challenger-tier hackers to invest their time, it’s gotta be worth the effort. We set our minimum payout at $250, significantly higher than most, and we have no cap on our max payout: if a researcher saves our nexus, we’ll ensure they get the reward they deserve and we don’t want to limit that. We’ve paid researchers over $10,000 for serious exploits.
Work With Us
If you want to help the team continue to make Riot products as secure as they can be, the team hires candidates all around the world, particularly in our Los Angeles and Dublin offices. The team recruits from a variety of backgrounds (we even hired someone we discovered on the League subreddit!) so if you’ve got a strong interest in security and have an engineering background, or if you’re a hacker who can write code, we want you! Check out current open positions. We need security experts with a desire to help us with our ultimate goal: to protect League, players and Rioters.