Riot addresses “kernel-level driver” concerns with expanded bug bounties

Enlarge / Artist's conception of hackers lining up for these new bug bounties.

Last week, we took a look at the new Vanguard anti-cheat system being used in Riot's Valorant and the potential security risks of the kernel-level driver it utilizes. Now, in an effort to allow "players to continue to play our games with peace of mind," Riot says it is "putting our money where our mouth is" with an expanded bug bounty program, offering more money for the discovery of Vanguard vulnerabilities.

Bug bounties aren't new to the gaming industry or even to Riot Games, which says it has paid out nearly $2 million in such rewards since launching its bounty program in 2016. But Riot is now offering "even higher bounties" of up to $100,000 specifically for the discovery of "high quality reports that demonstrate practical exploits leveraging the Vanguard kernel driver."

The largest bounties in Riot's newly expanded program are available to attacks that are able to exploit the Vanguard driver to run unauthorized code at the kernel level-something of a nightmare scenario that could give an attacker full, low-level access to a machine-but exploits that merely provide "unauthorized access to sensitive data" will also be rewarded. The bounties apply to network-based attacks that need no user interaction, vulnerabilities that require user action (like clicking on a malicious link), and exploits that require "guest user" access to the system itself, in declining order of potential reward.

Read 6 remaining paragraphs | Comments