Riot Offering Up To $150,000 For Finding Vulnerabilities In Valorant’s Anti-Cheat System

4
Riot Offering Up To $150,000 For Finding Vulnerabilities In Valorant’s Anti-Cheat System
Image: Riot Games

Riot is has posted one of the biggest—if not the biggest—bounties in gaming, offering people up to $US100,000 ($157,097) if they can find a security flaw in the company’s controversial Vanguard anti-cheat system.

The bounty, announced today, is being hosted on HackerOne, where users can earn some scratch from tech companies for pinpointing flaws in their security. There are several distinct reward tiers; the more dangerous the exploit someone finds in Vanguard, the more money they can potentially earn. This starts at $US25,000 ($39,274) for a bug that allows outside entities to access users’ private information all the way to $US100 ($157),000 ($157,097) for “code execution on the kernel level,” which would let a hacker compromise the most fundamental parts of a computer. Riot also provides several examples on the official bounty page.

Several developers have bug bounty programs on HackerOne, but none come close to what Riot is offering. Nintendo, for instance, has rewards that range from $US100 ($157) to $US20,000 ($31,419) for finding security weaknesses in the 3DS and Switch. Valve offers bounties that can surpass $US2 ($3),000 ($3,142) depending on severity. Rockstar Games tops out at $US10,000 ($15,710) for a specific bug related to false positives in Grand Theft Auto Online and Red Dead Redemption Online’s cheat detection.

Riot announced this bounty following a week of controversy around its Vanguard anti-cheat program, which is installed on the computers of people who download and play Valorant, the new competitive shooter from League of Legends developer Riot Games. Vanguard caused a ruckus when players discovered that its anti-cheat system is always running on players’ computers, with heightened privileges to boot. Riot maintains that the program has been rigorously tested for vulnerabilities, but is prepared to pay out big money should an exploit be discovered.

“We want players to continue to play our games with peace of mind, and we’re putting our money where our mouth is,” a message from the Riot Security Team reads. “If you think you’ve found a flaw in Vanguard that would undermine the security and privacy of players, please submit a report right away.”

Riot has run its “bug bounty” program on HackerOne since late 2014. Bounties not related to Vanguard start at $US250 ($393) but can reach upwards of $US4,000 ($6,284) according to a 2016 presentation by David Rook, Riot’s current the European security lead. After researchers submit their bug findings, what they’re paid is decided through discussions among the Riot security team, who consider details like the severity of the bug and the amount of work it took to find. Riot has reportedly awarded almost $US2 ($3) million since starting this program.

Valorant is currently in closed beta and available to players who obtain keys by watching streamers play it on Twitch.

Comments

  • It’s funny, because I read a reddit thread once that outlined that a lot of people who can legitimately bust these things wide open, often won’t, as they see things like this as bait to basically ‘out’ those and track those who can, for companies to basically ‘keep an eye on them’. I wonder how true that is or if it’s just reddit pasta?

  • Secretly installing an unauthorised kernel module on your system seems like a pretty big vulnerability to me. Can I have my $100k now, RIot?

    • While I can appreciate that this seems like something odd, I would like to put it out there that its incredibly likely that if you have played any multiplayer games in the last ten years you have already had kernal drivers installed on your computer. Pretty much any game that uses Battleye or Easy Anti Cheat has already installed kernal drivers.

  • I don’t think even AV programs has that deep level of access do they?

    I wonder how much 1 or 2 bitcoin costs these days, because 100K bounty for a code execution bug doesn’t seem like much if (hypothetically speaking) you could go comprise 1 million computers instead

Log in to comment on this story!