Banner object (1)

Hack and Take the Cash !

800 bounties in database
  Back Link to program      
Forge Of Empires logo
Hall of Fame


100 $ 

Forge Of Empires

No Submissions after 15-12-2018 12:00 UTC will be accepted, due to

Christmas holidays. After the holidays the program will be shut down on BugCrowd.

Good strategy online games are what Forge of Empires stands for. As a chieftain who founds his settlement anno 5000 B.C. in the Stone Age with little more than a few tents, it is your task to show your online strategy game skills and develop your city through the ages of history in this browser based empire game. Prove yourself a worthy ruler and lead your reign to glory!

We have set up an exclusive world on our most-played game Forge of Empires to be hacked! Enjoy the daily-deployed game updates constantly introducing new attack surface, and the free premium in-game currency!


For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Reports - Bonus Reward

For very well-written reports and/or reports that fully describe exploit chains, researchers will receive an additional 10% reward bonus (minimum). Bonus rewards are given at the sole discretion of the InnoGames customer triage team.

Reports - Impact Descriptions

Submissions that do NOT include an impact description & proof-of- concept will not be rewarded.

  • For example, an XSS vulnerability report should include proof of the vulnerability AND proof that a user's cookie can actually be stolen, rather than just assuming the vulnerability's impact.
  • If a submission does not contain an impact description, is not fully explained, or the impact of the vulnerability is assumed, the submission will not be eligible for reward.

Reports - Proof-of-Concept File Uploads

Do not upload any vulnerability-related information to 3rd-party services (e.g. Google, YouTube, Dropbox, or Tinyurl). Try to include all your PoC screenshots/videos as an attachment to your report (up to 50MB), if this is not possible, please leave a note in the report about it and email

Reward Range

Last updated 2 October 2018 19:41:41 UTC

Technical severity | Reward range
p1 Critical | $2,000 - $3,000
p2 Severe | $1,000 - $2,000
p3 Moderate | $500 - $1,000
p4 Low | $100 - $500

P5 submissions do not receive any rewards for this program.


In scope

Target name | Type
---|--- | Website | Website | Website
Forge of Empires Mobile App (iOS - via HockeyApp - see below for more details) | iOS
Forge of Empires Mobile App (Andriod - via HockeyApp - see below for more details) | Android

Any domain/property of Forge Of Empires or InnoGames which is not listed in the targets section above is out of scope. This includes any/all subdomains not listed above.

Target Info

  • Forge of Empires Mobile Application (iOS and Android) The HockeyApp versions have a special test market (XS) that is pinned for the app. On this market (the same as the webversion) you will receive a massive amount of premium to be able to check all functions of the game.

  • - This is our game landing page system which is used to signup, login and get news about the game

  • - This is our game master server which stores information about all worlds available - in this case only xs1

  • - This is the actual game world where all the game logic resides and the player gets redirected to

Testing Access

Create a Testing Account:

  1. Go to https://xs.forgeofempires.comand signup using your email address (see here for more info on @bugcrowdninja emails:
  2. Once logged in, choose the Playbutton
  3. We have created an exclusive world for you called Arvahall to hack all the things!

Premium Testing Credit - Currency (Diamonds)

Feel free to create as many accounts as you need in order to efficiently test the game ecosystem. Every registered account will receive an amount of 250.000 diamonds in order to facilitate testing of the premium parts of the game. If you need more, just let us know.

Note on Flash/HTML5 Versions

We do currently run two versions of the game: one is Flash-based and deprecated and one is based on HTML5. We have enforced the HTML5 version on the in-scope assets and only accept vulnerabilities affecting the HTML5 version. (which is to say the flash version is out-of-scope)

Focus Areas

Besides the classic web-based vulnerability classes such as XSS, CSRF, IDOR, SQLi, RCE, we are mostly interested in security vulnerabilities that affect the game's ecosystem in a negative manner, such as:

  • Disclosure of PII from other player accounts
  • Manipulation of the city of other players
  • Cheating in battles against other players


  • All other localized versions of live markets (,, etc.)
  • The Flash version of Forge of Empires
  • All bugs that allow an individual to gain only personal advantages
  • Vulnerability reports without proven exploitability
  • Theoretical issues or otherwise unproven assumptions without a proof of exploitability
  • Denial of Service (DoS) attacks of any kind
  • Physical and social engineering attacks
  • Results of automated scanners
  • Internal pivoting, scanning, exploiting, or exfiltrating data from internal InnoGames systems
  • Outdated, known-vulnerable software without a fully functional exploit
  • Any URIs leaked because a malicious app has permission to view URIs opened
  • Certificate hard-coded/recoverable in apk/ipa
  • Sensitive data in request bodies when protected by TLS
  • Any kind of sensitive data stored in app private directory

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

FireBounty © 2015-2019

Legal notices