14711 policies in database
Link to program      
Growtopia logo


300 $ 


Ubisoft is a leading video game company, the creators of original and immersive worlds like Assassin's Creed, Far Cry, The Crew or Watch Dogs. This engagement is specifically for Growtopia and related assets. Please refer to the In Scope Target list for more information.

We welcome the reporting of security vulnerabilities that would help us protect our assets and players


You are not eligible to participate in this program if you are underage or you do not have the authority in your own capacity to enter into a binding agreement on the terms and conditions of this program.

If you are an Ubisoft employee, findings are not eligible for rewards

Report Format and POC

You must provide a proof-of-concept (POC) demonstrating a vulnerability and explain to the best of your knowledge the security impact.

Use your own account for testing purposes. Do not attempt to gain access to another user’s accounts or compromise any user or Ubisoft confidential information


This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

You agree that any and all information, data or document of any kind regardless of form accessed by you within Ubisoft’s information systems or services of any kind or transmitted by Ubisoft shall be treated as strictly confidential.

This program requires explicit permission from Ubisoft to disclose any of Ubisoft’s information, including without limitation the results of a submission.


Ubisoft reserves the right to change or modify the terms of this program at any time without notification to you. Please check for any updates to this program before making a new submission.


  • Identical issues across different production and non-production environment counterparts will be considered duplicates.
  • Identical issues across different sub domains that share code will be considered duplicates.
  • Issues already identified internally will be considered duplicates.


For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. Most changes in the priority will follow the following matrix.

Priority | Vulnerability Type
P1 | Access to game servers to manipulate code or change data through any mean
P2 | Access to developer/ moderator account
P3 | Game exploits that can cause repeated game outages via packet manipulation Game exploits that can be used to duplicate items in the game
P4 | Game exploits to take game action on other players behalf without their consent via packet manipulation Game exploits to interpret other players game data

In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Scope and rewards

Reward range

Last updated 29 Jan 2021 17:40:23 UTC

Technical severity | Reward range
p1 Critical | $6,100 - $6,500
p2 Severe | $2,100 - $2,500
p3 Moderate | $850 - $1,000
p4 Low | $300 - $500

P5 submissions do not receive any rewards for this program.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This policy crawled by Onyphe on the 2021-02-08 is sorted as bounty.

FireBounty © 2015-2021

Legal notices