Banner object (1)

Hack and Take the Cash !

800 bounties in database
  Back Link to program      
InnoGames GmbH logo
Hall of Fame


100 $ 

InnoGames GmbH

No Submissions after 15-12-2018 12:00 UTC will be accepted, due to

Christmas holidays. After the holidays the program will be shut down on BugCrowd.

With around 150 million registered players, InnoGames is one of the worldwide leading developers and publishers of online games. Currently, more than 350 people from 30 nations are working in the Hamburg-based headquarters. Here community management, development and system administration work seamlessly together. This, combined with close contact to our players, creates a strong foundation that promotes the continued improvement of our games.


For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Bonus Rewards

For very well-written reports and/or reports that fully describe exploit chains, researchers may receive an additional 10% reward bonus (minimum). Bonus rewards are given at the sole discretion of the InnoGames customer triage team.

Impact Descriptions

Reports should ALWAYS include an impact description & proof-of-concept. For example, an XSS vulnerability report should include proof of the vulnerability AND proof that a user's cookie can actually be stolen, rather than just assuming the vulnerability's impact.

If a submission does not contain an impact description, is not fully

explained, or the impact of the vulnerability is assumed, the submission will not be eligible for reward.

Proof-of-Concept Files

Do not upload any vulnerability-related information to 3rd-party services (e.g. Google, YouTube, Dropbox, or Tinurl). Try to include all your PoC screenshots/videos as an attachment to your report (up to 50MB), if this is not possible, please leave a note in the report about it and email

Reward Range

Last updated 22 August 2018 21:12:34 UTC

Technical severity | Reward range
p1 Critical | $1,800 - $3,000
p2 Severe | $900 - $1,800
p3 Moderate | $400 - $900
p4 Low | $100 - $400

P5 submissions do not receive any rewards for this program.


In scope

Target name | Type
* | Website
* | Website
* | Website

Any domain/property of InnoGames which is not listed in the targets section above is out of scope. This includes any/all subdomains not listed above.

Testing Notes

Please note: Unfortunately, we cannot provide test credit cards or other payment accounts at this time.
Please DO NOT test the contact form at

Notes for

This is our central login and account management tool

  • We do not provide accounts for this service and there are no registration pages available.
  • That said, feel free to try and break it from a blackbox perspective.
  • Brute-force testing is not allowed on

Notes for

This is our payment environment used in all of our games. Steps to test:

  • Register an account in one of our web-based browser games (like Forge of Empires)
  • When in the game launch the payment process by clicking the "+" symbol next to your diamond count
  • You're now in the payment process where you can select different diamond packages
  • Find the iframe referencing within the page source
  • The iframe URL looks like this:{sessionId}

  • You can also use the voucher system to execute requests.

  • Happy Fuzzing

Notes for

  • Please avoid creating many new tickets, but instead concentrate your testing on the ticket contents.

Rules of Engagement

We do only reward vulnerabilities with proven exploitability which lead to a significant impact on our integrity or confidentiality. We do not reward theoretical issues or otherwise unproven assumptions without a proof of exploitability.

Please create an account on your own for authenticated pages using your email address. (see here for more info on @bugcrowdninja emails: address)

Low Impact Vulnerabilities

  • Self Exploitations
  • HTTP Host Header XSS
  • Open Redirects
  • Lack of SSL or Mixed content on authenticated pages
  • Reflected File Download (RFD)
  • Content Injection (e.g. Arbitrary Text without HTML or JavaScript contents)


Everything which is not explicitly mentioned under "Targets" is currently out of scope like:

  • The contact form at
  • Brute-force testing is not allowed on
  • All newly, publicly released software vulnerabilities have a black out period of 30 days before they will be accepted in this program.
  • All of our games
  • All applications/services that are not InnoGames-branded or developed externally, such as:
  • For *
    • email.*

The following finding types are specifically excluded from the bounty:

  • Denial of Service (DoS) attacks of any kind
  • Physical and social engineering attacks
  • Results of automated scanners
  • Using unreported vulnerabilities to find other bugs
  • Internal pivoting, scanning, exploiting, or exfiltrating data from internal InnoGames systems
  • Outdated, known-vulnerable software without a fully functional exploit

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

FireBounty © 2015-2019

Legal notices