Offering up to $100k to find flaws in new software.
As reported yesterday by Jack Frost, Riot’s new anti-cheat software, Valeriant, installs itself deeper into user’s PCs than most software: into your computer’s rootkit directly. Now through a bounty hosted on HackerOne, users are being invited to help pinpoint security vulnerabilities in said software, with the more dangerous exploits earning the most money. The lowest level is $25,000 for finding a flaw that let’s hackers access a user’s personal information, while the highest is described as “code execution on the kernel level”, basically allowing a hacker to hijack a computer completely.
Such anti-cheat software is troubling on its own given how easily software can detect false positives and just how deep into your computer’s “brain” this gets its hooks into. Riot seems a bit aware of this fact, as this bounty is far higher than most others posted on the site to help find security flaws, with the closest highest being Rockstar Gaming at $10,000 at most. Riot’s own other bounties for other games don’t come anywhere near this amount, and a spokesman for their security team stated the tactic was intended to allow them to put their money where their mouth is.
Regardless Valeriant has caused a cause for concern for many users, as it is not only always on and given the highest permissions, but any bugs that are found in the software will require Riot to work with Microsoft to fix them. Given their ties to Tencent, a Chinese company that holds a whopping 93% stake in Riot, it’s easy to feel concern they may abuse such access themselves with users possibly none the wiser.