Players and the security research community help us quickly repair security problems by reporting vulnerabilities and putting them on our radar.
To report a security issue, just shoot us an email at SOC@riotgames.com (PGP key available at the bottom of this page).
We welcome reports of all security vulnerabilities, including:
- Web security problems (e.g. cross-site scripting and SQL injection problems)
- Game exploits (e.g. insta-win bugs or third party game modifications)
- Other security concerns (e.g. infrastructure security problems, information disclosure issues)
We are also currently running a closed-beta bounty program hosted on HackerOne to reward security researchers. Researchers who successfully identify and report particularly severe security issues will receive an appropriate bounty and an invite to access this program.
Pro-Tips for Scoring A Bounty
Reports that are more likely to qualify for a bounty have:
- Easy-to-follow reproduction steps
- Bug descriptions that specify the scope of the vulnerability
- Clear details about how the vulnerability can be directly leveraged as part of an exploit against players or Riot
- Examples of bug types that commonly qualify for a bounty include XSS, CSRF, SQL injection, authorization issues, gameplay exploits and the like
Reports that are less likely to qualify for a bounty (unless you found a cool way to exploit one of these):
Leverage automated scanners without a narrow scoping or throttled request rate that creates disruptive results like degraded service or publicly visible spam on our community discussion boards/forums
Missing HTTP Headers such as X-Content-Type, X-Frame-Options and X-XSS-Protection
Presence of banner or version information in HTTP responses
Logout CSRF vulnerabilities
Expected behavior which a researcher might deem to be insecure such as reCAPTCHA accepting an incorrect word
Vulnerabilities in third party applications which make use of Riot Games APIs
Flaws specific to out-of-date browsers/plugins
Lack of the Secure and HTTPOnly flags on non-sensitive cookies
Clickjacking on pages without authentication or sensitive state changes
Error messages void of sensitive data
Self-XSS scenarios that would require additional user interaction, including the user manually inputting the XSS payload
League of Legends gameplay bugs
For other issues with your account, head over to the Player Support page.