Banner object (1)

Hack and Take the Cash !

791 bounties in database
  Back Link to program      
07/02/2019
InnoGames logo
Thanks
Gift
Hall of Fame
Reward

Reward

50 $ 

In Scope

Scope Type Scope Name
other com.innogames.enterprise.elvenar
other air.com.innogames.grepolis.com
other com.innogames.enterprise.elvenar
other com.innogames.foeandroid
undefined com.innogames.enterprise.grepolis.com
undefined com.innogames.enterprise.iforge
web_application Request limit does not apply
web_application The game worlds will be reset and updated regularly without any advance notice
web_application All users on these systems are testers so you will not impact any players
web_application Request limit does not apply
web_application The game worlds will be reset and updated regularly without any advance notice
web_application All users on these systems are testers so you will not impact any players
web_application If you find bugs in Typo3 please report them directly, these are not covered by this program, unless a new Typo Version has been released for more than 30 days
web_application The settings, custom built extensions and integrations are covered under this program
web_application Vulnerability resulting from outdated versions are covered under this program
web_application Please DO NOT test the contact form at
web_application https://www.innogames.com/company/contact/
web_application Please avoid creating many new tickets, but instead concentrate your testing on the ticket contents.
web_application Request limit does not apply
web_application The game worlds will be reset and updated regularly without any advance notice
web_application All users on these systems are testers so you will not impact any players
web_application Request limit does not apply
web_application The game worlds will be reset and updated regularly without any advance notice
web_application All users on these systems are testers so you will not impact any players
web_application Request limit does not apply
web_application The game worlds will be reset and updated regularly without any advance notice
web_application All users on these systems are testers so you will not impact any players
web_application Request limit does not apply
web_application The game worlds will be reset and updated regularly without any advance notice
web_application All users on these systems are testers so you will not impact any players
web_application Request limit does not apply
web_application The game worlds will be reset and updated regularly without any advance notice
web_application All users on these systems are testers so you will not impact any players
web_application Register an account in one of our web-based browser games (the test markets cannot be used for this)
web_application When in the game launch the payment process by clicking the "+" symbol next to your diamond count
web_application You're now in the payment process where you can select different diamond packages
web_application Find the iframe referencing
web_application www.igpayment.com
web_application within the page source
web_application The iframe URL looks like this:
web_application You can also use the voucher system to execute requests.
web_application Happy Fuzzing
web_application We do not provide accounts for this service and there are no registration pages available.
web_application That said, feel free to try and break it from a blackbox perspective.
web_application Brute-force testing is not allowed on login.innogames.de
web_application Request limit does not apply
web_application The game worlds will be reset and updated regularly without any advance notice
web_application All users on these systems are testers so you will not impact any players
web_application Request limit does not apply
web_application The game worlds will be reset and updated regularly without any advance notice
web_application All users on these systems are testers so you will not impact any players
web_application Request limit does not apply
web_application The game worlds will be reset and updated regularly without any advance notice
web_application All users on these systems are testers so you will not impact any players
web_application Request limit does not apply
web_application The game worlds will be reset and updated regularly without any advance notice
web_application All users on these systems are testers so you will not impact any players

InnoGames

Attention!

Hackers, you are being assigned a quest by General Grivus, the Gods of Grepolis, and the Tribe Leaders of Tribal Wars. Elves and Humans of Elvenar are requesting aid! They are looking for the most impactful Hacker to help defend their worlds and need your help! The quest is valid until 30th November 2019 and the treasure on offer is the chance to join your allies in Forge of Empires as your own avatar!

A little more detail about this quest: InnoGames will create a Forge of Empires player avatar with your image! The most impactful Hacker will be at the discretion of the InnoGames team and will be announced in December 2019. Please be aware that we will not award the Hacker who has the most valids or crits but the one who has demonstrated impact and value over the period outlined above. We will be including existing submissions so far in the program. Best of luck!

InnoGames Microblog:

2019-07-12 - Monthly rotation time! Tribal Wars is now in-eligible for bounty again. But Grepolis is eligible now! If you are still working on a complicated Tribal Wars exploit, this weekend is considered a grace period. Happy hunting!
2019-07-11 - Adding backend endpoints of non-scope apps as Out-Of-Scope.
2019-07-04 - Adding gamejam.innogames.de to Out-Of-Scope section, as it redirects to a different non-scope domain
2019-06-07 - Monthly rotation time! Grepolis is now in-eligible for bounty again. But Tribal Wars is eligible now! If you are still working on a complicated Grepolis exploit, this weekend is considered a grace period. Happy hunting!
2019-05-07 - Grepolis is back and now eligible for bounty again, until 2019-06-07 . Happy hunting!
2018-03-19 - Making Grepolis ineligible for bounty for the public launch, don't worry, it will return!


InnoGames looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Ratings and Rewards


For the initial prioritisation/rating of findings, this program will the CVSS classifications. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.


Response Targets

InnoGames will make a best effort to meet the following response targets for hackers participating in our program:

  • Time to first response (from report submit) - 2 business days
  • Time to triage (from report submit) - 2 business days
  • Time to bounty (from triage) - 7 business days

Disclosure Policy

  • Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
  • Follow HackerOne's disclosure guidelines __.

Program Rules

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Proof-of-Concept Files

Do not upload any vulnerability-related information to 3rd-party services (e.g. Google, YouTube, Dropbox, or Tinurl). Try to include all your PoC screenshots/videos as an attachment to your report.

Bonus Rewards

For very well-written reports and/or reports that fully describe exploit chains, researchers may receive an additional 10% reward bonus. Bonus rewards are given at the sole discretion of the InnoGames customer triage team.

We at InnoGames will also be offering an additional bonus to be awarded for your findings. The
nature with which the vulnerability is ascertained will factor into the additional bonus received.
We’ve broken these down into three different tiers and what qualifies as per the below:

Tier 1 - Increase on Bounty

  • One in-game resource can be reduced for another player (not targeted, no enumeration)
  • Another player is prevented from playing for more than an hour (not targeted, no enumeration)
  • One in-game resource can be multiplied for the player running the exploit

Tier 2 - Increase on Bounty

  • The POC or Bug show a for us unknown attack vector to our environment
  • PI of a player can be extracted, unspecific, no enumeration possible
  • Player to player communication can be read (not targeted, no enumeration)
  • One in-game resource can be multiplied for another specified player
  • Another player is prevented from playing for more than an hour for a specific target
  • One in-game resource can be reduced for another specified player

Tier 3 - Increase on Bounty

  • Unlimited Premium Currency can be gained without a payment method is being used
  • PI of a player can be extracted and a specific Player can be targeted
  • The source of any Player to player communication can be set to a specific another player, without the other player noticing it
  • The source of any Player to player communication can be set to a specific another player, with the other player noticing it
  • The source of any Player to player communication can be set to a specific another random player
  • Player to player communication can be read for a specific target
  • Bug is critical for the Gameplay and is therefore being fixed within the current release by the team

PI = Private Information

Important: The additional bonus awarded will be reduced if:

  • The Attack needs to be individually crafted per target player
  • The Attack can be automatically detected in the current implementation
  • The Attack requires an additional social engineering component

Focus Areas

Besides the classic web-based vulnerability classes such as XSS, CSRF, IDOR, SQLi, RCE, we are mostly interested in security vulnerabilities that affect the game's ecosystem in a negative manner, such as:

  • Disclosure of personal information or messages from other player accounts
  • Manipulation of the progress of other players
  • Cheating in battles against other players

Premium Testing Credit - Currency (Diamonds)

Feel free to create as many accounts as you need in order to efficiently test the game ecosystem. Every registered account will receive an amount of 250.000 diamonds in order to facilitate testing of the premium parts of the game. If you need more, just let us know.

Rules of Engagement


We do only reward vulnerabilities with proven exploitability which lead to a significant impact on our integrity or confidentiality. We do not reward theoretical issues or otherwise unproven assumptions without a proof of exploitability.

Please create an account on your own for authenticated pages using your @wearehackerone.com email address. (see here for more info on @wearehackerone.com emails:)

Out of Scope

Everything which is not explicitly mentioned under "Targets" is currently out of scope. Additionally the following is out of scope:

  • The contact form at https://www.innogames.com/company/contact/ __
  • Brute-force testing is not allowed on login.innogames.de
  • All newly, publicly released software vulnerabilities have a black out period of 30 days before they will be accepted in this program.
  • All of our other games
  • All applications/services that are not InnoGames-branded or developed externally, for example:

For *.innogames.com (3rd party services, may not be tested):

  • pn.innogames.com
  • press.innogames.com
  • mail.innogames.com
  • *.innogames.com domains which redirect you to a 3rd party service
  • If in doubt a whois on the IP should show you if it is an external service or at least run by InnoGames

For *.innogames.com (3rd party applications, vulnerabilities due to outdated versions ( >30d) or our custom settings are covered)

  • forum.innogames.com

For *.innogames.de (3rd party services, may not be tested):

  • slack.innogames.de
  • surveys.innogames.de
  • exchange.innogames.de
  • mail.innogames.de
  • om-cdn.innogames.de
  • gamejam.innogames.de (which redirects to igjam.eu)
  • *.innogames.de domains which redirect you to a 3rd party service
  • If in doubt a whois on the IP should show you if it is an external service or at least run by InnoGames

For *.innogames.de (3rd party applications, vulnerabilities due to outdated versions ( >30d) or our custom settings are covered):
This list contains subdomains of 3rd party applications, however there may be more which are not included, but still out of scope. Before submitting a report double-check if it is a system under InnoGames control.

  • sip.innogames.de
  • lyncdiscover.innogames.de
  • mailout.innogames.de
  • autodiscover.innogames.de
  • email.*.innogames.de
  • call.innogames.com
  • sip.innogames.com
  • conferencing.innogames.com
  • mra.innogames.com
  • meet.innogames.com
  • jamf.innogames.com
  • igjam.eu

All apps, which are not mentioned in the scope, are considered Out-Of-Scope, this also applies for their connected backend services, even though they might be on an in-scope server. If a specific route is solely used by the app, it will be considered as Out-Of-Scope

The following finding types are specifically excluded from the bounty:

  • Denial of Service (DoS) attacks of any kind
  • Physical, social engineering and ClickJacking attacks
  • All bugs that allow an individual to gain only personal (dis)advantages
  • Plain results of automated scanners
  • Using unreported vulnerabilities to find other bugs
  • Internal pivoting, scanning, exploiting
  • Outdated, known-vulnerable software without a fully functional exploit
  • Vulnerability reports without proven exploitability
  • Theoretical issues or otherwise unproven assumptions without a proof of exploitability
  • Any URIs leaked because a malicious app has permission to view URIs opened
  • Certificates or static keys hard-coded/recoverable in apk/ipa (you can use these to find issues in the api though)
  • Sensitive data in request bodies when protected by TLS
  • Any kind of sensitive data stored in app private directory
  • DMARC or SPF related issues
  • Missing best practices in SSL/TLS configuration.
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Self-XSS
  • User enumeration in the games (as the users must be known to play the game)

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep InnoGames and our users safe!

FireBounty © 2015-2019

Legal notices