Christmas holidays. After the holidays the program will be shut down on BugCrowd.
With around 150 million registered players, InnoGames is one of the worldwide leading developers and publishers of online games. Currently, more than 350 people from 30 nations are working in the Hamburg-based headquarters. Here community management, development and system administration work seamlessly together. This, combined with close contact to our players, creates a strong foundation that promotes the continued improvement of our games.
For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
For very well-written reports and/or reports that fully describe exploit chains, researchers may receive an additional 10% reward bonus (minimum). Bonus rewards are given at the sole discretion of the InnoGames customer triage team.
Reports should ALWAYS include an impact description & proof-of-concept. For example, an XSS vulnerability report should include proof of the vulnerability AND proof that a user's cookie can actually be stolen, rather than just assuming the vulnerability's impact.
explained, or the impact of the vulnerability is assumed, the submission will not be eligible for reward.
Do not upload any vulnerability-related information to 3rd-party services (e.g. Google, YouTube, Dropbox, or Tinurl). Try to include all your PoC screenshots/videos as an attachment to your report (up to 50MB), if this is not possible, please leave a note in the report about it and email email@example.com.
Last updated 22 August 2018 21:12:34 UTC
Technical severity | Reward range
p1 Critical | $1,800 - $3,000
p2 Severe | $900 - $1,800
p3 Moderate | $400 - $900
p4 Low | $100 - $400
P5 submissions do not receive any rewards for this program.
Target name | Type
*.innogames.com | Website
*.innogames.de | Website
*.igpayment.com | Website
Any domain/property of InnoGames which is not listed in the targets section above is out of scope. This includes any/all subdomains not listed above.
Please note: Unfortunately, we cannot provide test credit cards or other
payment accounts at this time.
Please DO NOT test the contact form at https://www.innogames.com/company/contact/
This is our central login and account management tool
This is our payment environment used in all of our games. Steps to test:
The iframe URL looks like this:
You can also use the voucher system to execute requests.
We do only reward vulnerabilities with proven exploitability which lead to a significant impact on our integrity or confidentiality. We do not reward theoretical issues or otherwise unproven assumptions without a proof of exploitability.
Please create an account on your own for authenticated pages using your @bugcrowdninja.com email address. (see here for more info on @bugcrowdninja emails: https://researcherdocs.bugcrowd.com/docs/your-bugcrowdninja-email- address)
Everything which is not explicitly mentioned under "Targets" is currently out of scope like:
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
Contact us if you want more information.