Hackers, get ready! Riot Games wants you to find security issues and bugs in League of Legends and other games for a possibly tremendous cash reward.
League of Legends, Valorant, and other Riot Games titles have had their fair share of game-disrupting issues over the years. Some bugs, however, pose a greater threat to actual security, rather than just being annoying. To try and mitigate future issues, Riot is offering a potentially massive bounty to those who can find these security risks.
What counts as a $100,000 bug? And how do interested parties sign up?
Here are the qualifying bugs and rewards
Riot is looking for several different kinds of bugs across League of Legends, Valorant, and other games.
The company is the most concerned about finding ways that bad actors can access and exploit user data. As such, all reports must relate to products that Riot Games has control over rather than larger network or service issues. Riot is mainly interested in bugs related to the following categories:
- Player experience denial of service
- Vanguard exploits
- Vulnerabilities in the Hypexi infrastructure
- Standard cheats or exploits
- Content acquisition exploits
- General infrastructure and client-side vulnerabilities
Qualifying bugs can earn the finder a bounty from $250 to $100,000, depending on the severity. Bugs that affect players in multiple game sessions are worth more, as are those that focus on the anti-cheat Vanguard. Targeted in-game session disconnections and Vanguard network attacks carry the largest rewards.
Additionally, reports that have easy-to-follow reproduction steps, have clear details about how the bug can be exploited, and avoid accessing player data without permission are more likely to earn bounties. Riot pays out rewards at its own discretion, and the actual amount may vary.
How to sign up to find bugs in League of Legends and other Riot games
Currently, those who want to participate in finding bugs for League of Legends and Valorant need to be invited.
All parties have been instructed to keep their involvement and bugs they find a secret. Violating this agreement runs them the risk of forfeiting any bounty earned. At this time, Riot has not clarified how they select participants. Cybersecurity company HackerOne co-runs the program and could be involved in recruiting people.
For those who aren’t part of the selective team dedicated to finding bugs for Riot, they can still report any issues they have through their account or by submitting a ticket. They just won’t get the $100,000 bounty.