Riot has posted one of the biggest—if not the biggest—bounties in gaming, offering people up to $100,000 if they can find a security flaw in the company’s controversial Vanguard anti-cheat system.
The bounty, announced today, is being hosted on HackerOne, where users can earn some scratch from tech companies for pinpointing flaws in their security. There are several distinct reward tiers; the more dangerous the exploit someone finds in Vanguard, the more money they can potentially earn. This starts at $25,000 for a bug that allows outside entities to access users’ private information all the way to $100,000 for “code execution on the kernel level,” which would let a hacker compromise the most fundamental parts of a computer. Riot also provides several examples on the official bounty page.
Several developers have bug bounty programs on HackerOne, but none come close to what Riot is offering. Nintendo, for instance, has rewards that range from $100 to $20,000 for finding security weaknesses in the 3DS and Switch. Valve offers bounties that can surpass $2,000 depending on severity. Rockstar Games tops out at $10,000 for a specific bug related to false positives in Grand Theft Auto Online and Red Dead Redemption Online’s cheat detection.
Riot announced this bounty following a week of controversy around its Vanguard anti-cheat program, which is installed on the computers of people who download and play Valorant, the new competitive shooter from League of Legends developer Riot Games. Vanguard caused a ruckus when players discovered that its anti-cheat system is always running on players’ computers, with heightened privileges to boot. Riot maintains that the program has been rigorously tested for vulnerabilities, but is prepared to pay out big money should an exploit be discovered.
“We want players to continue to play our games with peace of mind, and we’re putting our money where our mouth is,” a message from the Riot Security Team reads. “If you think you’ve found a flaw in Vanguard that would undermine the security and privacy of players, please submit a report right away.”
Riot has run its “bug bounty” program on HackerOne since late 2014. Bounties not related to Vanguard start at $250 but can reach upwards of $4,000 according to a 2016 presentation by David Rook, Riot’s current European security lead. After researchers submit their bug findings, what they’re paid is decided through discussions among the Riot security team, who consider details like the severity of the bug and the amount of work it took to find. Riot has reportedly awarded almost $2 million since starting this program.
Valorant is currently in closed beta and available to players who obtain keys by watching streamers play it on Twitch.