Riot Games has paid out over $100,000 to security researchers poring over the game looking for exploits, hacks and bugs, in its League of Legends bug bounty scheme, Security Week reports.
The HackOne platform, on which the League of Legends bug bounty program is based on has been open since April 2013, but only to a handful of security researchers. Despite this, since then they have found a total of 75 exploits which Riot Games has duly patched up.
Bugs squashed have included client crash exploits, vision related flaws and exploits where players could potentially be impersonated on official forums.
The latter of these was how Riot Games came to set up the bug hunting program in the first place. An Australian researcher found a vulnerability that would have allowed him to steal the identity of players to impersonate on the forums – there was no hijacking involved, but it could have been used for phishing. Because at the time the company had no official security channels in place, the note was posted via the general enquiries email account, which meant it took around a week to reach the people who needed to fix it.
The official Riot Blog post on its League of Legends bug bounty describes this point as “admitting we had a problem.”
“If we’re not listening, it can frustrate researchers with good intentions and lead them to post their exploits online in order to get our attention. That’s not great for the researcher and could cause confusion and pain for players,” the company explained.
Now, the company intends to open the program to “all security researchers and enthusiasts” though they’re not quite ready yet. “Before we can expand the program, we need to get aligned on a foundational workflow that allows our security team to efficiently handle every report from the field and turn them into bugs that development teams will own,” the company explained. In the meantime, anyone with an exploit to report can contact the security team directly via email.
by Alan Martin, ESET