Niantic Vulnerability Disclosure Policy We value the work of security researchers and would like to invite anyone willing to spend time on helping Niantic improve security to give us their feedback. Niantic is committed to engaging with the security community and is thankful for your contributions!

In case you want to report a security related issue you have identified, be sure to review and follow our terms and conditions before sending us a report via the form linked at the bottom of the page. For more information on how Niantic handles your personal data, please see our privacy policy.

Scope

Domains

• *.nianticlabs.com
• *.niantic.team
• *.niantic.dev
• *.lightship.dev
• *.niantic.cn
• *.ar.dv
• *.ingress.com
• *.pokemongolive.com
• *.8thwall.com
• *.8thwall.app
• *.8th.io

Games and respective Backends

• Pokémon GO
• Ingress Prime
• Campfire
• Pikmin Bloom

Specifically out of scope Vulnerability Types

• Information disclosures such as application and version banners, stack traces, server errors, internal IPs or path disclosures
• Brute force attacks involving username/password, account lockout, username/email enumeration (attacks that go beyond blindly testing may still be considered)
• Any physical attacks against Niantic Facilities or Property or employees
• Any social engineering attacks (e.g. phishing, email spoofing or self-XSS)
• Open redirects
• TLS/SSL issues
• Any exhaustion and disruptive attacks such as (Distributed) Denial of Service, request spamming, slow-loris, etc
• Click-jacking
• CSRF issues not impacting account integrity
• Cookie security (e.g. secure flag)
• Out-of-date or known-vulnerable software (high severity issues might still be considered depending on possible impact)
• Cheating incidents or issues around ingame exploits

Rewards

Niantic will consider the maximum impact of the presented vulnerability. Reporters may be rewarded, at our discretion, based on the severity of found vulnerabilities.

Investigating and reporting

• Niantic will make reasonable efforts to investigate and resolve the reported issue within 90 days. However, in some cases Niantic may require more time, which we will communicate with you. Do not share any information about the report before Niantic has communicated the issue has been resolved.
• Do not alter any data you gain access to as a result of your investigation. As a rule of thumb, only attack your own accounts. Examples: user profile data other than your own, altering database entries or bucket contents.
• Avoid privacy violations and disruptions, including (but not limited to) impacting service quality via (D)DoS, deletion of data or accessing personal accounts (e.g. via phishing). You remain personally responsible for any privacy violations, disruptions, or any violations of applicable laws or regulations you commit while taking part in a security report.
• Do not try to exploit a vulnerability (e.g. do not try to gain access to a machine or pivot/scan from an already compromised one to demonstrate additional risk).
• Do not violate any other applicable laws or regulations.