Good strategy online games are what Forge of Empires stands for. As a chieftain who founds his settlement anno 5000 B.C. in the Stone Age with little more than a few tents, it is your task to show your online strategy game skills and develop your city through the ages of history in this browser based empire game. Prove yourself a worthy ruler and lead your reign to glory!
We have set up an exclusive world on our most-played game
Forge of Empires
to be hacked! Enjoy the daily-deployed game updates constantly introducing new
attack surface, and the free premium in-game currency!
For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
For very well-written reports and/or reports that fully describe exploit chains, researchers will receive an additional 10% reward bonus (minimum). Bonus rewards are given at the sole discretion of the InnoGames customer triage team.
Submissions that do NOT include an impact description & proof-of- concept will not be rewarded.
Do not upload any vulnerability-related information to 3rd-party services (e.g. Google, YouTube, Dropbox, or Tinyurl). Try to include all your PoC screenshots/videos as an attachment to your report (up to 50MB), if this is not possible, please leave a note in the report about it and email firstname.lastname@example.org.
Last updated 2 October 2018 19:41:41 UTC
Technical severity | Reward range
p1 Critical | $2,000 - $3,000
p2 Severe | $1,000 - $2,000
p3 Moderate | $500 - $1,000
p4 Low | $100 - $500
P5 submissions do not receive any rewards for this program.
Target name | Type
xs.forgeofempires.com | Website
xs0.forgeofempires.com | Website
xs1.forgeofempires.com | Website
Forge of Empires Mobile App (iOS - via HockeyApp - see below for more
details) | iOS
Forge of Empires Mobile App (Andriod - via HockeyApp - see below for more
details) | Android
Any domain/property of Forge Of Empires or InnoGames which is not listed in the targets section above is out of scope. This includes any/all subdomains not listed above.
Forge of Empires Mobile Application (iOS and Android)
https://rink.hockeyapp.net/recruit/a2f798c932964ab48542149b10798814- The HockeyApp versions have a special test market (XS) that is pinned for the app. On this market (the same as the webversion) you will receive a massive amount of premium to be able to check all functions of the game.
xs.forgeofempires.com - This is our game landing page system which is used to signup, login and get news about the game
xs0.forgeofempires.com - This is our game master server which stores information about all worlds available - in this case only xs1
xs1.forgeofempires.com - This is the actual game world where all the game logic resides and the player gets redirected to
https://xs.forgeofempires.comand signup using your @bugcrowdninja.com email address (see here for more info on @bugcrowdninja emails: https://researcherdocs.bugcrowd.com/docs/your-bugcrowdninja-email-address)
Arvahallto hack all the things!
Feel free to create as many accounts as you need in order to efficiently test
the game ecosystem. Every registered account will receive an amount of
250.000 diamonds in order to facilitate testing of the premium parts of the
game. If you need more, just let us know.
We do currently run two versions of the game: one is Flash-based and deprecated and one is based on HTML5. We have enforced the HTML5 version on the in-scope assets and only accept vulnerabilities affecting the HTML5 version. (which is to say the flash version is out-of-scope)
Besides the classic web-based vulnerability classes such as XSS, CSRF, IDOR, SQLi, RCE, we are mostly interested in security vulnerabilities that affect the game's ecosystem in a negative manner, such as:
Forge of Empires
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
Contact us if you want more information.