Cybersecurity experts might want to ethically hack Vanguard, Riot's anti-cheat system thanks to a newly-revealed bounty.
Riot Games, the developer of League of Legends and VALORANT, is offering bounties of up to $100,000 to anyone who can crack Vanguard, the anti-cheat system of both popular games. The bounty was reinforced in a post by the LoL devs on HackerOne, a popular bug and vulnerability bounty platform that connects organisations with ethical hackers, also known as “security researchers,” to help improve their cybersecurity.
According to their post on HackerOne, it’s currently at “invite-only” program, so any type of participation should be kept confidential until Riot is ready to announce it. Riot has had bounties up for a while now, but has added new rewards for Distributed Denial of Service (DDoS) exploits. These new DDoS bounties range from US $500 to $100,000.
Quite specifically, DDoS attacks that “target individual players” have a $100,000 bounty across all categories, along with “Targeted In Game Session Disconnection.” The LCK has been the target of multiple DDoS attacks in the first few months of Season 2024, with T1 specifically struggling with it until mid-year, so it’s no surprise that Riot wants to find all possible vulnerabilities relating to to the issue.
How do I participate to claim a bug bounty?
You can find Riot Games' Bug Bounties on hackerOne. Visit the website or send an email to [email protected] to notify Riot Games' security team of any vulnerabilities you may find. Be advised that although the maximum payout for a Riot Games bug bounty is US $100,000, the actual amount that will be awarded will vary based on the category of the vulnerability.
The least profitable is a "non-traffic volume based Denial of Service" that "affects players only in your in-game session," and pays out between $500 and 2,500. A "DDoS that can identify and target individual players" and "Targeted In Game Session Disconnection" will earn higher rewards, reaching $100,000 combined. Prior to receiving any compensation, hackers will be required to confirm their claims with the security team of Riot Games.
"If we can validate that the reported issue qualifies for a bounty, we’ll triage it and keep you up to date about the progress towards resolution," the page said. They go on to say, "If Riot has to implement a code change to fix the security bug, it most likely qualifies for a bounty."
Be warned that “publicly disclosing your bug’ without coordinating with Riot Games first may disqualify you for the bounty—although this will be on a case-to-case basis applied to reports that contain zero-day vulnerabilities; such reports will be evaluated individually.
