League of Legends is arguably the most popular game in the world, but Riot lacked a quick and easy way for individuals to share weaknesses in the game’s security. One security researcher found a vulnerability, emailed Riot and then a week later the message finally reached Riot’s security team. He did the right thing, but Riot didn’t have a system to react to him or to reward his work.
Riot’s latest idea? Put the security pros to work. If you find a weakness in League of Legends, they’ll pay you for it.
“No software connected to the internet can be considered 100 percent secure. We know that smart people all over the world poke at our software, websites and infrastructure, looking for weaknesses. Some will successfully find security vulnerabilities,” Riot stated on an official blog post. “When this happens, it’s critical that we become aware of the vulnerability ASAP so that we can fix it before it’s widely abused.
“The people who find these flaws make up a diverse community whose motivations range from curiosity to malicious intent, and everything in between. Unfortunately, there was no efficient way for the good guys to to report security bugs. Nor was there a clear incentive to do so.”
The Riot “Bug Bounty” program is currently in closed beta with a few hand-selected security enthusiasts, but the company has already paid out over $100,000 to individuals for reporting these issues. The company is also focusing on speed of response, and payment.
“One researcher found a way to abuse the old chat invite system to crash any recipient’s game client. This could prevent streamers from playing LoL, or prevent players from picking their champions during Champ Select. This would also force dodge penalties and LP loss in ranked games against their target. Pretty evil,” Riot stated.
“Riot was able to deliver the bounty payments to this researcher within 24 hours of validating the fixes.”
The program is still in closed beta, but more information will be shared with the community “soon.”