Riot Games Surpasses 1,000 Valid Reports: Q&A
At the end of 2018, Riot Games surpassed one of the biggest milestones of its bug bounty program to-date: 1,000 valid vulnerabilities reported to the program. The League of Legends maker launched its bug bounty program in 2014 to help secure Riot services, software, and their over 80 million players worldwide. Today, their security team celebrates 1,000 issues fixed and 1,000 opportunities to better protect their players.
We connected with Riot Games Security Engineer Diarmaid McManus to learn more about what the milestone means to him and the team, as well as the greater impact HackerOne’s community has had on their security practice. Check out our conversation below.
Q: 1,000 valid reports! What makes this milestone meaningful to your team? What other program metrics are you most proud of to-date?
A: Many of the issues reported to our bug bounty program introduced real risk to our players. When we decide what security controls to implement, and how to prioritize fixes, the impact on the player experience is the first thing we think of. This lead to some decisions around, for example, TLS - should we support outdated cipher suites so that people on older operating systems could still play our game, or increase security and lock some players out? Reducing the risk of any of the issues reported to us - not to mind 1,000 - is a great milestone.
Q: How has Riot’s program evolved over the past couple years?
A: Over the last few years, we’ve massively grown number of hackers involved in our program, introducing new researchers with fresh perspectives, who have skills in new areas. Once a lot of the low hanging fruit was found earlier in the program, our time to resolution began to improve. This also means faster bounty payouts. These days, we see less bugs, which have higher impact. This is exactly what you’d expect to see from a maturing security program. Last year, we also started using HackerOne triage services, which has taken a lot of work off the shoulders of the Riot Games Security team, allowing us to focus on day to day work. At the same time, we introduced a clear bounty table giving hackers more visibility into payout structure. Finally, introducing the Legal Bug Bounty framework based off the work done by Amit Elazari and the example disclosure policy published by Dropbox gives researchers further confidence their testing is authorized.
Q: Were there any unexpected benefits? If so, what were they?
A: We weren’t expecting how much teams would want to learn about issues *other* teams had had reported to them. It has been a great experience sharing the more damaging vulnerabilities between teams and amongst the wider company. One of our team members, Dan Pantry, recently gave a talk about one vulnerability to a conference hall full of engineers. It’s important to share what you learn from the Bug Bounty program across the organization.
Q: What’s the biggest lesson learned over the course of your program?
A: Build an asset inventory. Mine every data source you have to discover sites you have published in the past. We had plenty of old microsites, publishing portals, and projects like flash games where the original team had long been reorganized, and there was no clear owner of the project. Try to resolve your low hanging fruit internally first, but you’ll never know what your low hanging fruit is without an asset inventory.
Q: What advice would you give others starting their programs now?
A: Make sure you have a good process for bug fixing in place, including buy in from whichever teams will be implementing fixes. It’s vitally important to be in a position to resolve bugs that researchers report, so that you minimize the number of duplicates being reported - this saves the researcher, and your organization, time and frustration. Be ready for a large number of reports when you first launch. You might be overwhelmed with the initial influx of reports. Consider what the most damaging class of vulnerability would be for your organization. Initially for Riot Games, these were XSS vulnerabilities - for a lot of organisations nowadays, it could be data compromise through, for example, s3 buckets. Invite researchers who specialise in going deep on these types of issues.
Q: When looking at the security industry as a whole, what do you think needs to change?
A: Some of the industry has a mentality that if a security control won’t stop every single attacker, it should be dismissed out of hand. This crops up especially often, and quite often recently, with Two Factor Authentication (2FA). Dismissing SMS 2FA due to sim swapping fraud, or dismissing app-based 2FA due to projects like evilginx, doesn’t appreciate the additional work this imperfect control forces an attacker to do. Dissent is healthy, but criticizing defenders for a solution they’ve decided is effective for their threat model feels like quick point scoring.
Q: What’s next for Riot’s Bug Bounty program?
A: We have a lot of valuable feedback from researchers in the pipeline to action, which will reduce the time to award for our researchers. If you keep researchers happy they’ll stick with your program, so that’s our focus for now!
To learn more about Riot Games’ bug bounty program, visit https://hackerone.com/riot/.