Banner object (1)

Hack and Take the Cash !

722 bounties in database
07/02/2019
InnoGames logo

InnoGames

InnoGames looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Ratings


For the initial prioritisation/rating of findings, this program will the CVSS classifications. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.


Response Targets

InnoGames will make a best effort to meet the following response targets for hackers participating in our program:

  • Time to first response (from report submit) - 2 business days
  • Time to triage (from report submit) - 2 business days

Disclosure Policy

  • Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organisation.
  • Follow HackerOne's disclosure guidelines __.

Program Rules

  • Please provide detailed reports with reproducible steps.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Proof-of-Concept Files

Do not upload any vulnerability-related information to 3rd-party services (e.g. Google, YouTube, Dropbox, or Tinurl). Try to include all your PoC screenshots/videos as an attachment to your report.

Focus Areas

Besides the classic web-based vulnerability classes such as XSS, CSRF, IDOR, SQLi, RCE, we are mostly interested in security vulnerabilities that affect the game's ecosystem in a negative manner, such as:

  • Disclosure of personal information or messages from other player accounts
  • Manipulation of the progress of other players
  • Cheating in battles against other players

Premium Testing Credit - Currency (Diamonds)

Feel free to create as many accounts as you need in order to efficiently test the game ecosystem. Every registered account will receive an amount of 250.000 diamonds in order to facilitate testing of the premium parts of the game. If you need more, just let us know.

Rules of Engagement


Please only submit vulnerabilities with proven exploitability which lead to a significant impact on our integrity or confidentiality.

Please create an account on your own for authenticated pages using your @wearehackerone.com email address. (see here for more info on @wearehackerone.com emails:)

Out of Scope

Everything which is not explicitly mentioned under "Targets" is currently out of scope. Additionally the following is out of scope:

  • The contact form at https://www.innogames.com/company/contact/ __
  • Brute-force testing is not allowed on login.innogames.de
  • All newly, publicly released software vulnerabilities have a black out period of 30 days before they will be accepted in this program.
  • All of our other games
  • All applications/services that are not InnoGames-branded or developed externally, for example:

For *.innogames.com (3rd party services, may not be tested):

  • pn.innogames.com
  • press.innogames.com
  • mail.innogames.com
  • *.innogames.com domains which redirect you to a 3rd party service
  • If in doubt a whois on the IP should show you if it is an external service or at least run by InnoGames

For *.innogames.com (3rd party applications, vulnerabilities due to outdated versions ( >30d) or our custom settings are covered)

  • forum.innogames.com

For *.innogames.de (3rd party services, may not be tested):

  • slack.innogames.de
  • surveys.innogames.de
  • exchange.innogames.de
  • mail.innogames.de
  • om-cdn.innogames.de
  • *.innogames.de domains which redirect you to a 3rd party service
  • If in doubt a whois on the IP should show you if it is an external service or at least run by InnoGames

For *.innogames.de (3rd party applications, vulnerabilities due to outdated versions ( >30d) or our custom settings are covered):
This list contains subdomains of 3rd party applications, however there may be more which are not included, but still out of scope. Before submitting a report double-check if it is a system under InnoGames control.

  • sip.innogames.de
  • lyncdiscover.innogames.de
  • mailout.innogames.de
  • autodiscover.innogames.de
  • email.*.innogames.de
  • call.innogames.com
  • sip.innogames.com
  • conferencing.innogames.com
  • mra.innogames.com
  • meet.innogames.com
  • jamf.innogames.com

The following finding types are specifically excluded from scope:

  • Denial of Service (DoS) attacks of any kind
  • Physical, social engineering and ClickJacking attacks
  • All bugs that allow an individual to gain only personal (dis)advantages
  • Plain results of automated scanners
  • Using unreported vulnerabilities to find other bugs
  • Internal pivoting, scanning, exploiting
  • Outdated, known-vulnerable software without a fully functional exploit
  • Vulnerability reports without proven exploitability
  • Theoretical issues or otherwise unproven assumptions without a proof of exploitability
  • Any URIs leaked because a malicious app has permission to view URIs opened
  • Certificates or static keys hard-coded/recoverable in apk/ipa (you can use these to find issues in the api though)
  • Sensitive data in request bodies when protected by TLS
  • Any kind of sensitive data stored in app private directory
  • DMARC or SPF related issues
  • Missing best practices in SSL/TLS configuration.
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep InnoGames and our users safe!

Thanks
Gift
Hall of Fame
Reward


List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2019