InnoGames is among gaming brands like Nintendo and Riot Games taking a proactive approach to protecting its assets with a bug bounty program. They've invited trusted hackers to identify potential security weaknesses on their site. Since 2019, InnoGames has resolved over 58 vulnerabilities with the help from 196 hackers and paid out US$25,000.
Kevin Heseler, Security Engineer at InnoGames, recently spoke with HackerOne about how InnoGames leverages their bug bounty program to secure their games and the unique approach they have taken to awarding their most valuable hacker, in a Q&A interview.
InnoGames Working with Trusted Hackers to Identify Potential Security Weaknesses
Q: Please introduce yourself. Tell us what you do at InnoGames and why cybersecurity is so important to your business.
Kevin: My name is Kevin Heseler and I am one of the Security Engineers at InnoGames. Our mission is to ensure that our games are always available for our players to enjoy and that no one gets an unfair advantage.
Q: Why did InnoGames launch a bug bounty program?
Kevin: While our gaming community is already a great asset for finding issues in the games, every hacker, researcher or security engineer has a different testing focus. Everyone can bring their own specialised knowledge or skill set to the game.
Q: How does this fit into InnoGames's larger cybersecurity strategy?
Kevin: A public bug bounty gives InnoGames an additional channel for receiving information on bugs from many pairs of eyes. We can therefore identify new attack vectors and patterns and lower the administrative overhead for rewarding security researchers for bugs they find.
InnoGames has had a public bug bounty program for four and a half years in total. At first we did this by ourselves, where we learned that it can take significant time to triage the issues, and that rewarding researchers on the other side of the world can create very high administrative costs! About 3 years ago, we started to use a platform service, which helps us to focus on the issues, rather than on the administration.
Q: Any memorable interactions with hackers to-date? Favorite bugs?
Kevin: I think my favourite bug was a race condition, which was found in our Friend-invite feature. If you were quick enough, you could score some extra in-game currency. While it was not a substantial amount, the bug was really cool.
Q: Has anything surprised you about the program? What didn't you expect?
Kevin: I was quite surprised by how many hackers returned to the program after not reporting anything for some time. I take this to mean our program is still an attractive one for researchers, I think because games are cool!
Q: What findings is the team most interested in surfacing? What types of bugs are most valuable to InnoGames?
Kevin: Game Logic bugs or cheats are really cool findings, this is a unique attack surface for researchers to test.
Q: Tell us about the avatar promotion?
Kevin: We thought: We are a gaming company, how can we honour the most impactful researcher? And then it clicked: We can put a researcher in our game. We sat together with the artists for our biggest game, Forge of Empires, and figured out where to best place the researcher. A game avatar was the chosen option since anybody can see it within any era of the game.
After running the promotion, the honour was awarded to Batee5a. Batee5a is also a player of our games so we knew he would be excited about this prize as well.
Q: How did you choose Batee5a as the winner?
Kevin: We looked through all the reports and checked who had the biggest impact on our program based on submission count and severity of bugs submitted. Batee5a was the clear winner.
Q: Will you be running the promotion again?
Kevin: We are always looking at different ways we can encourage researchers and show special appreciation to the ones who stand out.
Q: Do you have any advice for hackers looking to hack on your program?
Kevin: Don't think like a researcher for the first two hours; play the games. Understand how the application works, how the interaction between players work and what you should not be able to achieve.
Q: Do you have any advice for other organizations or security leads in regard to running a bug bounty program?
Kevin: Always keep your researchers in the loop. If you pause triage because of holidays or if the scope changes, talk to the researchers and explain what you are doing and why you are doing it. Bonus payments and promotions are a really cool thing and a powerful tool. However, some things money cannot buy. So, if you have a cool service, think about how you can honour the researcher through it.
What is a Bug Bounty Program?
Much like how bounties in the days of old used to work, bug bounties today are offered by organizations to invite others to hunt for bugs on their applications or platforms. These bugs can take the form of exploits, vulnerabilities or more.
Bugs found earlier on in a product's life cycle can significantly lessen the overall security risk profile of an application or platform. Today, many companies both private and public sector have implemented bug bounty programs successfully.
Thanks to the widespread use of digital technology today, exploits and vulnerabilities have the potential to affect a much larger demographic than ever before. The same applies to any other cyberthreats and anyone conencted to the web today should be taking cybersecurity seriously.