Running a Bug Bounty Program

Hello, David Rook here. I’m the product owner of application security at Riot Games. In an effort to provide the best and most secure game experiences to League of Legends players, we’ve been running a bug bounty program for a few years now. When it comes to finding bugs in our live services, we wanted to ensure that we were listening to researchers all over the globe. The program has yielded terrific results for us, so in this article I wanted to share some of the details - I hope it’s interesting to anyone considering running a similar program.

Back in May, Riot hosted the OWASP LA chapter meeting, and I presented on this topic. My talk focused on the history of our program, how we run it, and the lessons we’ve learned. Before sharing a video excerpt I hope will be especially interesting, I wanted to highlight our overall philosophy towards our bug bounty program:

1. Fight together, not with each other

Researchers will break things and test limits - it’s what they’re great at. We should help them understand our rules and limits instead of immediately resorting to the ban hammer.

2. Make researchers feel like part of the team

We want researchers to feel like they are part of the Riot InfoSec team. We want them to care about helping us level up the security of our products.

3. KISS (Keep It Simple, Stupid) when it comes to program scope

Our scope should be simple and easily communicated. If an issue could affect a player, it’s in scope.

4. Value researchers’ time and reward them well

We never want a researcher to feel like it’s not worth their time to find vulnerabilities. Our minimum payouts are an acceptable reward and our average payouts reward the best researchers in the world for their unique skills and time.

5. Build a world class program to attract the best researchers

We want to be the most researcher-focused program in the world. Our researchers should have a positive and rewarding experience when working with Riot.

With that in mind, I’d love to share the video from OWASP, in which I discuss the day-to-day details of how we run our program and cover lessons we’ve learned throughout the process.



Our program is still fairly new and we’d love to get feedback on how you think we’re doing and where we can improve. Let us know what you think of the talk in the comments below, and best of luck hacking the planet (or just Riot products!). If you like what you’ve seen today and would like to join our InfoSec team we’re always looking for awesome people.

Posted by David Rook