Reporting A Security Vulnerability

 

Players and the security research community help us quickly repair security problems by reporting vulnerabilities.
 

We invite researchers who successfully identify new and particularly severe security issues to Riot’s private bug bounty program on HackerOne, where we reward issue discoveries with bounty payouts.
 

To report a security issue, shoot us an email at bugbounty@riotgames.com.
 

If we can validate that the reported issue qualifies for a bounty, we’ll triage it and keep you up to date about the progress towards resolution.
 

We welcome reports of all security vulnerabilities, including:
 

  • Web security problems (e.g. cross-site scripting and SQL injection problems)

  • Certain game exploits (e.g. insta-win bugs or disclosure of player information through the game)

  • Other security concerns (e.g. infrastructure security problems, information disclosure issues)
     

Scope
 

Any Riot services available from the internet and any software developed by Riot Games. This includes our web applications, servers, and all of our game(s).

If Riot has to implement a code change to fix the security bug, it most likely qualifies for a bounty.

Our most up to date scope is listed on our HackerOne page.

For other issues with your account, head over to the Player Support page.