Epic Games recognizes how important strong security is. The Information Security Team at Epic Games is continually working to protect our players, data, products, and services. Our team understands that there is an incredible community of talented security researchers who want to help further strengthen our security, so we're thrilled to run this HackerOne program in order to help strengthen our security.
If you think you've found a vulnerability, please submit it to us so we can assess and process it. We look forward to any and all potential vulnerabilities you may find!
Program Rules
============
1. Program Eligibility
You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)
Employees, or former employees that separated from the company within the prior 18 months, contingent workers, contractors and their personnel, or consultants of Epic Games or its subsidiaries, as well as persons living in the same household and their immediate family members, are not eligible to receive bounties or rewards of any kind under the Epic Games program.
2. What's allowed/permitted
You will comply with all applicable laws and regulations
You will let us know as soon as possible following the discovery of a vulnerability
You will follow the disclosure guidelines defined below
3. What's not allowed/not permitted
You may not submit reports from automated scanners and tools
You will not maliciously exploit any vulnerabilities
You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties
You will not conduct Denial of Service testing nor any other actions that disrupt services
You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.
You will not conduct social engineering of any Epic employees and/or contractors
You will not conduct physical attempts against Epic Games property or data centers
4. Legal
We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list.
The Epic Games HackerOne program will not remove or modify any bans placed on an account.
Failure to comply with any or all of these rules may result in removal from the program.
Report Submissions
=============
What's required
=============
You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “sectest” in the username.==
When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.
You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.
You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.
Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.
When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. Do not attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages.
==When testing for findings, you will not flood email forms, public forums, or other publicly consumable content as this will have an adverse affect on user experience==
Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.
Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic.
==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==
Bounties
=============
Please review the table below for examples of severity categories:
|Description|Severity|Potential Bounty|Notes|
|--|--|--|--|
|Remote code execution on in-scope Epic Games game, store, and other core infrastructure endpoints|Critical|$15,000||
|Authentication bypass on Epic Games Store Accounts|Critical|$15,000|Does not include credential stuffing|
|Authentication bypass on Epic-owned in-scope assets/services|Critical|$12,500|Does not include credential stuffing and/or brute force|
|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|Critical|$10,000| |
|Payment process bypass|Critical|$10,000|Complete purchases in-store or in-game without payment|
|Remote code execution on Epic-owned in-scope assets running vBulletin|Critical|$5,000| |
|Privilege escalation on in-scope Epic services|High|$7,500|
Game Security Severity Guidelines
=====
Being able to enumerate the server IP address of another player in real-time. (Battle Royale)
Being able to crash a server that you are not a member of
Remote code execution on either the game server or another player’s computer
Being able to crash a server that you are a member of
Being able to modify weapon or vehicle characteristics that give you a gameplay advantage in a traditional * non-custom Solo BR match
Being able to crash people in your social party
Being able to modify interaction times on reviving players or using medkits
Remote code execution on either an associated backend server or another player’s computer
Remote denial of service by crashing anti-cheat components on another player’s computer
Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory
Implementation details of a previously unknown and unique method for preventing anti-cheat detections
Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers
Disclosure Guidelines
=====
You understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.
If you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.
Scope
=====
Valid scopes are listed in the Assets section below, which also lists additional information on architecture. We generally follow the OWASP Top 10 Application Security Risks (2017), however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. Eligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.
When datamining the approved clients/endpoints only the following findings are accepted:
fortnite-public-service-prod11.ol.epicgames.com
FortniteClient-Win64-Shipping.exe
Out of Scope
============
Vulnerabilities from automated scanners without additional analysis
Vulnerabilities relying on out of date browsers/software
Clickjacking/UI-redressing
XSS only affecting old browser versions
Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability
Mixed content warnings
Missing cookie flags that do not directly lead to a vulnerability
All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)
Credentials to individual end-user accounts (Eg: Epic Games Store accounts)
Denial of Service / Distributed Denial of Service attacks
Social engineering (e.g. phishing, vishing, smishing) attacks
Physical security attacks
SPF, DKIM, and DMARC records and flags
Text-only injection
Password stuffing attacks
Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS)
Adobe Flash related submissions
Assets not owned by Epic Games (third party assets) are not considered in scope
Additional Notes
============
A valid PoC will also be required to contain:
* Proof of at least 1000 accepted requests by the server in a very short time-frame.
* Proof of successful login or completion of operation after said 1000+ requests.
Scope Type | Scope Name |
---|---|
android_application | FortniteClient-Android-Shipping-arm64-es2.apk |
application | FortniteClient-Win64-Shipping.exe |
application | FortniteLauncher-Win64-Shipping.exe |
application | FortniteLauncher-Win64-Shipping_BE.exe |
application | FortniteLauncher-Win64-Shipping_EAC.exe |
application | FortniteLauncher.exe |
application | EOS C# SDK |
other | Any other Epic games owned asset not listed in the out of scope section |
web_application | *.rocketleague.com |
web_application | *.psynet.gg |
web_application | *.unrealtournament.com |
web_application | *.epicgames.com |
web_application | *.unrealengine.com |
web_application | *.fortnite.com |
web_application | *.epicgames.dev |
web_application | metahuman.unrealengine.com |
web_application | twinmotion.unrealengine.com |
web_application | *.psyonix.com |
web_application | *.3lateral.com |
web_application | *.cubicmotion.com |
web_application | *.oncatapult.com |
web_application | *.fallguys.com |
web_application | *.mediatonic.co.uk |
web_application | *.easy.ac |
web_application | *.artstation.com |
web_application | *.quixel.com |
web_application | *.sketchfab.com |
web_application | *.superawesome.tv |
web_application | *.superawesome.com |
web_application | *.popjam.com |
web_application | *.rukkaz.com |
web_application | *.jellychat.com |
web_application | help.sketchfab.com |
web_application | forum.sketchfab.com |
Scope Type | Scope Name |
---|---|
android_application | Popjam Android application |
android_application | Rukkaz Android application |
application | FortniteClient-Mac-Shipping.app |
other | Adobe Flash related submissions |
web_application | epicsupport.force.com |
web_application | learn.unrealengine.com |
web_application | docs.unrealengine.com |
web_application | udn.unrealengine.com |
web_application | watch.fortnite.com |
web_application | merch.fortnite.com |
web_application | eoshelp.epicgames.com |
web_application | answers.unrealengine.com |
web_application | communityportal.epicgames.com |
web_application | marketplacehelp.epicgames.com |
web_application | twinmotionhelp.epicgames.com |
web_application | issues.unrealengine.com |
web_application | damascushelp.epicgames.com |
web_application | mithrilhelp.epicgames.com |
web_application | stadiahelp.epicgames.com |
web_application | artportal.epicgames.com |
web_application | communities.unrealengine.com |
web_application | login.epicgames.com |
web_application | forums.unrealengine.com |
web_application | webinars.unrealengine.com |
web_application | skookum.chat |
web_application | mediaspace.unrealengine.com |
web_application | superawesome.com/contact-us/ |
web_application | *.bandcamp.com |
web_application | detroitlabs.epicgames.com |
This policy crawled by Onyphe on the 2021-10-12 is sorted as bounty.
FireBounty © 2015-2024