[{"id":3767664,"new_policy":"_____________________________________________________________________________________________________________________\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n###Program Eligibility\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n* Employees, former employees that separated from the company within the prior 18 months, interns, contingent workers, contractors and their personnel, or consultants of Epic Games or its subsidiaries, as well as persons living in the same household and their immediate family members, are not eligible to receive bounties or rewards of any kind under the Epic Games program \n\n###What's allowed/permitted\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n###What's not allowed/not permitted\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n###Legal\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may, at our sole discretion, result in ineligibility for bounties and/or removal from the program.\n______________________________________________________________________________________________________________________\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\n**What's required**\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* Where applicable, you should use the following custom HTTP header during testing: X-Bug-Bounty: Hackerone-\u003cusername\u003e to  differentiate your requests from those from normal users. Example:  X-Bug-Bounty: Hackerone-FlyingToasters. Additional custom headers may be added to differentiate between tests or reports.\n* Whenever possible, your reports should include as much information as possible regarding your tests and environment. For example: AccountID, IP, SessionID, Client Version, Client Log File, Date and Time, etc.\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n* You may not use any Epic created content (such as Megascans) when performing testing on any of our digital marketplace products (Such as Fab).\n*  ==When testing for findings, you will not flood email forms, public forums, publish insensitive or illegal content, or any other publicly consumable content in a way that may have an adverse affect on user experience.==\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n______________________________________________________________________________________________________________________\nDisclosure Guidelines\n=============\n______________________________________________________________________________________________________________________\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nYou understand that any media used to support your report should only be shared through HackerOne, and that the use of any public hosting service will be considered as unpermitted disclosure and could cause the report to be considered ineligible for bounties. If there is a need for use of a separate hosting service, please reach out to the program team for further instructions.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n______________________________________________________________________________________________________________________\nBounty Examples\n=============\n______________________________________________________________________________________________________________________\nPlease review the table below for examples of severity categories. These examples don't guarantee any bounties or severity ratings for any reports, and should only be considered as a guideline:\n\n###General\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, other core infrastructure endpoints, or another player’s computer|$25,000||\n|Authentication bypass on Epic Games Store Accounts|$25,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|$15,000|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|$15,000| |\n|Payment process bypass|$15,000|Complete purchases in-store or in-game without payment|\n|Privilege escalation on in-scope Epic services|$7,500|\n|Product price altering|$5,000|Complete purchases in-store or in-game with a modified price. Ex. Buy a $10 item for $1|\n|Web Cache Poisoning|$500|Denial of service through cache poisoning|\n  \n\n###Fortnite\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Being able to enumerate the server IP address of another player in real-time.|$15,000|Online game modes, primarily ranked modes.|\n|Being able to crash a server that you are not a member of|$10,000||\n|Being able to modify a game characteristic in a previously unknown and unique way to give you a considerable gameplay advantage|$10,000|* non-custom Solo BR match|\n|Being able to crash other people|$15,000|Severity will be assessed based on if they are part of your social party, friends or strangers.|\n|Being able to crash a server you are a member of|$5,000||\n  \n###Easy Anti Cheat\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Local privilege escalation using the anti-cheat service or driver|$10,000||\n|Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory|$5,000||\n|Implementation details of a previously unknown and unique method for preventing anti-cheat detections|$5,000||\n|Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers|$5,000||\n\n###Denial of Service\n|Description|Max Severity|\n|--|--|\n|Single, small request to Fortnite game services resulting in matchmaking outage|Critical|\n|Single, small request to Fortnite game services resulting in outage to specific region|Critical|\n|Unintended large (5k+ character) requests to game endpoint causing delays or loss of service|High|\n|DoS on developer facing services without game  services impact|High|\n|DoS on components of non-player facing services|Medium|\n|DDoS|Invalid|\n\n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nWe generally follow the OWASP Top 10 Application Security Risks, however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. \nEligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n______________________________________________________________________________________________________________________\nOut of Scope\n============\n______________________________________________________________________________________________________________________\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Distributed Denial of Service attacks\n* Fortnite UEFN Live Edit Session Crashes are considered out of scope\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF, DKIM, and DMARC records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets)  \n\nUnreal Revision Control (URC), Unreal Engine Projects, and other User Generated Projects:\n\n* Issues which rely on the victim to join a project/organization are not considered valid unless:\n     * You are able to publish code to an organization you are not a member of\n     * You are able to add users to an organization without their consent\n* Issues relying on maintainers of projects sabotaging their own projects are not considered in scope\n     * Similarly, issues relying on hijacking a high privilege account and subsequently sabotaging a project are also out of scope. The method by which ATO is achieved may be considered in scope.\n* Findings due to modifications of the underlying URC framework via URC projects are considered in scope\n     * Eg: Replacing executables explicitly used by URC via a project, or a project which causes it to behave in unintended ways\n* Timing attacks which may briefly allow access to new organizations are out of scope\n* Security issues specific to underlying IDEs are out of scope, unless the issue is unique to how URC integrates with the IDE\n* Vulnerabilities caused by end of life IDEs are out of scope\n\n______________________________________________________________________________________________________________________\nHackerOne Platform Standards Deviations:\n============\n______________________________________________________________________________________________________________________\n\n* Vulnerable Network Connection in Client Applications: Vulnerabilities that require being on the same network as a victim (“Man-In-The-Middle” -MITM- attack) will be considered on a case by case basis.\n\n* Insecure Direct Object Reference (IDOR) vulnerability reports will be accepted only if the researcher is able to demonstrate a way to reliably obtain/guess/craft target IDs, or when demonstrating a High severity Impact.\n\n______________________________________________________________________________________________________________________\nAdditional Notes\n============\n______________________________________________________________________________________________________________________\n* For different attack vectors that result in the same mitigation, we reserve the right to reward the first report that is validated for that fix. All subsequent reports addressed by that mitigation will be considered duplicates, regardless of the attack vector.\n\n* Missing or faulty Rate-limit issues will only be considered valid when affecting login or critical account related requests, and these do not include any form of 2FA. In case the 2FA control in place is also vulnerable, the issue will be assessed on a case by case basis.\nA valid PoC will also be required to contain:\n      * Proof of at least 1000 accepted requests by the server in a very short time-frame.\n      * Proof of successful login or completion of operation after said 1000+ requests.\n\n* Web Cache Poisoning/Deception issues will only be considered valid when:\n     * You’ll be able to prove that exploitation of the issue impacts other users (different IP, browser, etc.)\n     * It's possible to make this attack persistent for multiple targets\n\n* Any exploitable Zero Day vulnerabilities will only be valid if also reported to the corresponding maintainer or owner of said software/service. Zero day findings are not eligible for awards unless discovered on an in-scope asset more than 30 days after the zero day has been disclosed to the public.\n\n* Cache poisoning-based denial of service attacks will be classified as low severity. If the resulting impact causes a significant service disruption for our players and/or creators then the severity will be re-evaluated.\n\n* Findings derived from application based Denial of Service (DoS) will only be valid when not relying on volumetric attacks and triaged based on factors including ease to exploit, impact, and importance of the affected service.  \n* Services which directly correlate to game services and game functionality generally have a higher impact than other services that would have little impact on player experience. Backend services which do not immediately impact the operation of game sessions will be considered a lower impact than those which have a direct impact on player/game experience.\n* Complexity of DoS is taken into account when assessing severity. Attacks which require consistent, repeated large payloads will max out at a severity of “High” unless there is substantial player impact.\n* Dependency confusion submissions are only valid for first party dependencies. These submissions will receive a maximum severity rating of \"Informative\" unless evidence is provided which shows download attempts on Epic owned infrastructure.\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Epic Games is continually working to protect our players, data, products, and services. We understand that there is an incredible community of talented security researchers who can  help further strengthen our security, so we're thrilled to run this program.\nIf you've found a vulnerability, please submit it so we can assess it. We look forward to any and all vulnerabilities you may find!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-12-19T20:37:57.030Z"},{"id":3767019,"new_policy":"_____________________________________________________________________________________________________________________\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n###Program Eligibility\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n* Employees, former employees that separated from the company within the prior 18 months, interns, contingent workers, contractors and their personnel, or consultants of Epic Games or its subsidiaries, as well as persons living in the same household and their immediate family members, are not eligible to receive bounties or rewards of any kind under the Epic Games program \n\n###What's allowed/permitted\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n###What's not allowed/not permitted\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n###Legal\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may, at our sole discretion, result in ineligibility for bounties and/or removal from the program.\n______________________________________________________________________________________________________________________\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\n**What's required**\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* Where applicable, you should use the following custom HTTP header during testing: X-Bug-Bounty: Hackerone-\u003cusername\u003e to  differentiate your requests from those from normal users. Example:  X-Bug-Bounty: Hackerone-FlyingToasters. Additional custom headers may be added to differentiate between tests or reports.\n* Whenever possible, your reports should include as much information as possible regarding your tests and environment. For example: AccountID, IP, SessionID, Client Version, Client Log File, Date and Time, etc.\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n* You may not use any Epic created content (such as Megascans) when performing testing on any of our digital marketplace products (Such as Fab).\n*  ==When testing for findings, you will not flood email forms, public forums, publish insensitive or illegal content, or any other publicly consumable content in a way that may have an adverse affect on user experience.==\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n______________________________________________________________________________________________________________________\nDisclosure Guidelines\n=============\n______________________________________________________________________________________________________________________\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nYou understand that any media used to support your report should only be shared through HackerOne, and that the use of any public hosting service will be considered as unpermitted disclosure and could cause the report to be considered ineligible for bounties. If there is a need for use of a separate hosting service, please reach out to the program team for further instructions.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n______________________________________________________________________________________________________________________\nBounty Examples\n=============\n______________________________________________________________________________________________________________________\nPlease review the table below for examples of severity categories. These examples don't guarantee any bounties or severity ratings for any reports, and should only be considered as a guideline:\n\n###General\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, other core infrastructure endpoints, or another player’s computer|$25,000||\n|Authentication bypass on Epic Games Store Accounts|$25,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|$15,000|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|$15,000| |\n|Payment process bypass|$15,000|Complete purchases in-store or in-game without payment|\n|Privilege escalation on in-scope Epic services|$7,500|\n|Product price altering|$5,000|Complete purchases in-store or in-game with a modified price. Ex. Buy a $10 item for $1|\n|Web Cache Poisoning|$500|Denial of service through cache poisoning|\n  \n\n###Fortnite\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Being able to enumerate the server IP address of another player in real-time.|$15,000|Online game modes, primarily ranked modes.|\n|Being able to crash a server that you are not a member of|$10,000||\n|Being able to modify a game characteristic in a previously unknown and unique way to give you a considerable gameplay advantage|$10,000|* non-custom Solo BR match|\n|Being able to crash other people|$15,000|Severity will be assessed based on if they are part of your social party, friends or strangers.|\n|Being able to crash a server you are a member of|$5,000||\n  \n###Easy Anti Cheat\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Local privilege escalation using the anti-cheat service or driver|$10,000||\n|Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory|$5,000||\n|Implementation details of a previously unknown and unique method for preventing anti-cheat detections|$5,000||\n|Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers|$5,000||\n\n###Denial of Service\n|Description|Max Severity|\n|--|--|\n|Single, small request to Fortnite game services resulting in matchmaking outage|Critical|\n|Single, small request to Fortnite game services resulting in outage to specific region|Critical|\n|Unintended large (5k+ character) requests to game endpoint causing delays or loss of service|High|\n|DoS on developer facing services without game  services impact|High|\n|DoS on components of non-player facing services|Medium|\n|DDoS|Invalid|\n\n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nWe generally follow the OWASP Top 10 Application Security Risks, however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. \nEligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n______________________________________________________________________________________________________________________\nOut of Scope\n============\n______________________________________________________________________________________________________________________\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Distributed Denial of Service attacks\n* Fortnite UEFN Live Edit Session Crashes are considered out of scope\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF, DKIM, and DMARC records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets)  \n\n______________________________________________________________________________________________________________________\nHackerOne Platform Standards Deviations:\n============\n______________________________________________________________________________________________________________________\n\n* Vulnerable Network Connection in Client Applications: Vulnerabilities that require being on the same network as a victim (“Man-In-The-Middle” -MITM- attack) will be considered on a case by case basis.\n\n* Insecure Direct Object Reference (IDOR) vulnerability reports will be accepted only if the researcher is able to demonstrate a way to reliably obtain/guess/craft target IDs, or when demonstrating a High severity Impact.\n\n______________________________________________________________________________________________________________________\nAdditional Notes\n============\n______________________________________________________________________________________________________________________\n* For different attack vectors that result in the same mitigation, we reserve the right to reward the first report that is validated for that fix. All subsequent reports addressed by that mitigation will be considered duplicates, regardless of the attack vector.\n\n* Missing or faulty Rate-limit issues will only be considered valid when affecting login or critical account related requests, and these do not include any form of 2FA. In case the 2FA control in place is also vulnerable, the issue will be assessed on a case by case basis.\nA valid PoC will also be required to contain:\n      * Proof of at least 1000 accepted requests by the server in a very short time-frame.\n      * Proof of successful login or completion of operation after said 1000+ requests.\n\n* Web Cache Poisoning/Deception issues will only be considered valid when:\n     * You’ll be able to prove that exploitation of the issue impacts other users (different IP, browser, etc.)\n     * It's possible to make this attack persistent for multiple targets\n\n* Any exploitable Zero Day vulnerabilities will only be valid if also reported to the corresponding maintainer or owner of said software/service. Zero day findings are not eligible for awards unless discovered on an in-scope asset more than 30 days after the zero day has been disclosed to the public.\n\n* Cache poisoning-based denial of service attacks will be classified as low severity. If the resulting impact causes a significant service disruption for our players and/or creators then the severity will be re-evaluated.\n\n* Findings derived from application based Denial of Service (DoS) will only be valid when not relying on volumetric attacks and triaged based on factors including ease to exploit, impact, and importance of the affected service.  \n* Services which directly correlate to game services and game functionality generally have a higher impact than other services that would have little impact on player experience. Backend services which do not immediately impact the operation of game sessions will be considered a lower impact than those which have a direct impact on player/game experience.\n* Complexity of DoS is taken into account when assessing severity. Attacks which require consistent, repeated large payloads will max out at a severity of “High” unless there is substantial player impact.\n* Dependency confusion submissions are only valid for first party dependencies. These submissions will receive a maximum severity rating of \"Informative\" unless evidence is provided which shows download attempts on Epic owned infrastructure.\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Epic Games is continually working to protect our players, data, products, and services. We understand that there is an incredible community of talented security researchers who can  help further strengthen our security, so we're thrilled to run this program.\nIf you've found a vulnerability, please submit it so we can assess it. We look forward to any and all vulnerabilities you may find!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-12-05T18:52:44.023Z"},{"id":3765745,"new_policy":"_____________________________________________________________________________________________________________________\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n###Program Eligibility\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n* Employees, former employees that separated from the company within the prior 18 months, interns, contingent workers, contractors and their personnel, or consultants of Epic Games or its subsidiaries, as well as persons living in the same household and their immediate family members, are not eligible to receive bounties or rewards of any kind under the Epic Games program \n\n###What's allowed/permitted\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n###What's not allowed/not permitted\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n###Legal\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may, at our sole discretion, result in ineligibility for bounties and/or removal from the program.\n______________________________________________________________________________________________________________________\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\n**What's required**\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* Where applicable, you should use the following custom HTTP header during testing: X-Bug-Bounty: Hackerone-\u003cusername\u003e to  differentiate your requests from those from normal users. Example:  X-Bug-Bounty: Hackerone-FlyingToasters. Additional custom headers may be added to differentiate between tests or reports.\n* Whenever possible, your reports should include as much information as possible regarding your tests and environment. For example: AccountID, IP, SessionID, Client Version, Client Log File, Date and Time, etc.\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n* You may not use any Epic created content (such as Megascans) when performing testing on any of our digital marketplace products (Such as Fab).\n*  ==When testing for findings, you will not flood email forms, public forums, publish insensitive or illegal content, or any other publicly consumable content in a way that may have an adverse affect on user experience.==\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n______________________________________________________________________________________________________________________\nDisclosure Guidelines\n=============\n______________________________________________________________________________________________________________________\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nYou understand that any media used to support your report should only be shared through HackerOne, and that the use of any public hosting service will be considered as unpermitted disclosure and could cause the report to be considered ineligible for bounties. If there is a need for use of a separate hosting service, please reach out to the program team for further instructions.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n______________________________________________________________________________________________________________________\nBounty Examples\n=============\n______________________________________________________________________________________________________________________\nPlease review the table below for examples of severity categories. These examples don't guarantee any bounties or severity ratings for any reports, and should only be considered as a guideline:\n\n###General\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, other core infrastructure endpoints, or another player’s computer|$25,000||\n|Authentication bypass on Epic Games Store Accounts|$25,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|$15,000|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|$15,000| |\n|Payment process bypass|$15,000|Complete purchases in-store or in-game without payment|\n|Privilege escalation on in-scope Epic services|$7,500|\n|Product price altering|$5,000|Complete purchases in-store or in-game with a modified price. Ex. Buy a $10 item for $1|\n|Web Cache Poisoning|$500|Denial of service through cache poisoning|\n  \n\n###Fortnite\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Being able to enumerate the server IP address of another player in real-time.|$15,000|Online game modes, primarily ranked modes.|\n|Being able to crash a server that you are not a member of|$10,000||\n|Being able to modify a game characteristic in a previously unknown and unique way to give you a considerable gameplay advantage|$10,000|* non-custom Solo BR match|\n|Being able to crash other people|$15,000|Severity will be assessed based on if they are part of your social party, friends or strangers.|\n|Being able to crash a server you are a member of|$5,000||\n  \n###Easy Anti Cheat\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Local privilege escalation using the anti-cheat service or driver|$10,000||\n|Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory|$5,000||\n|Implementation details of a previously unknown and unique method for preventing anti-cheat detections|$5,000||\n|Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers|$5,000||\n\n###Denial of Service\n|Description|Max Severity|\n|--|--|\n|Single, small request to Fortnite game services resulting in matchmaking outage|Critical|\n|Single, small request to Fortnite game services resulting in outage to specific region|Critical|\n|Unintended large (5k+ character) requests to game endpoint causing delays or loss of service|High|\n|DoS on developer facing services without game  services impact|High|\n|DoS on components of non-player facing services|Medium|\n|DDoS|Invalid|\n\n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nWe generally follow the OWASP Top 10 Application Security Risks, however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. \nEligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n______________________________________________________________________________________________________________________\nOut of Scope\n============\n______________________________________________________________________________________________________________________\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Distributed Denial of Service attacks\n* Fortnite UEFN Live Edit Session Crashes are considered out of scope\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF, DKIM, and DMARC records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets)  \n\n______________________________________________________________________________________________________________________\nHackerOne Platform Standards Deviations:\n============\n______________________________________________________________________________________________________________________\n\n* Vulnerable Network Connection in Client Applications: Vulnerabilities that require being on the same network as a victim (“Man-In-The-Middle” -MITM- attack) will be considered on a case by case basis.\n\n* Insecure Direct Object Reference (IDOR) vulnerability reports will be accepted only if the researcher is able to demonstrate a way to reliably obtain/guess/craft target IDs, or when demonstrating a High severity Impact.\n\n______________________________________________________________________________________________________________________\nAdditional Notes\n============\n______________________________________________________________________________________________________________________\n* For different attack vectors that result in the same mitigation, we reserve the right to reward the first report that is validated for that fix. All subsequent reports addressed by that mitigation will be considered duplicates, regardless of the attack vector.\n\n* Missing or faulty Rate-limit issues will only be considered valid when affecting login or critical account related requests, and these do not include any form of 2FA. In case the 2FA control in place is also vulnerable, the issue will be assessed on a case by case basis.\nA valid PoC will also be required to contain:\n      * Proof of at least 1000 accepted requests by the server in a very short time-frame.\n      * Proof of successful login or completion of operation after said 1000+ requests.\n\n* Web Cache Poisoning/Deception issues will only be considered valid when:\n     * You’ll be able to prove that exploitation of the issue impacts other users (different IP, browser, etc.)\n     * It's possible to make this attack persistent for multiple targets\n\n* Any exploitable Zero Day vulnerabilities will only be valid if also reported to the corresponding maintainer or owner of said software/service. Zero day findings are not eligible for awards unless discovered on an in-scope asset more than 30 days after the zero day has been disclosed to the public.\n\n\n* Cache poisoning-based denial of service attacks will be classified as low severity. If the resulting impact causes a significant service disruption for our players and/or creators then the severity will be re-evaluated.\n\n\n* Findings derived from application based Denial of Service (DoS) will only be valid when not relying on volumetric attacks and triaged based on factors including ease to exploit, impact, and importance of the affected service.  \n* Services which directly correlate to game services and game functionality generally have a higher impact than other services that would have little impact on player experience. Backend services which do not immediately impact the operation of game sessions will be considered a lower impact than those which have a direct impact on player/game experience.\n* Complexity of DoS is taken into account when assessing severity. Attacks which require consistent, repeated large payloads will max out at a severity of “High” unless there is substantial player impact.\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Epic Games is continually working to protect our players, data, products, and services. We understand that there is an incredible community of talented security researchers who can  help further strengthen our security, so we're thrilled to run this program.\nIf you've found a vulnerability, please submit it so we can assess it. We look forward to any and all vulnerabilities you may find!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-11-07T21:53:10.313Z"},{"id":3760620,"new_policy":"_____________________________________________________________________________________________________________________\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n###Program Eligibility\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n* Employees, former employees that separated from the company within the prior 18 months, interns, contingent workers, contractors and their personnel, or consultants of Epic Games or its subsidiaries, as well as persons living in the same household and their immediate family members, are not eligible to receive bounties or rewards of any kind under the Epic Games program \n\n###What's allowed/permitted\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n###What's not allowed/not permitted\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n###Legal\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may, at our sole discretion, result in ineligibility for bounties and/or removal from the program.\n______________________________________________________________________________________________________________________\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\n**What's required**\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* Where applicable, you should use the following custom HTTP header during testing: X-Bug-Bounty: Hackerone-\u003cusername\u003e to  differentiate your requests from those from normal users. Example:  X-Bug-Bounty: Hackerone-FlyingToasters. Additional custom headers may be added to differentiate between tests or reports.\n* Whenever possible, your reports should include as much information as possible regarding your tests and environment. For example: AccountID, IP, SessionID, Client Version, Client Log File, Date and Time, etc.\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n* You may not use any Epic created content (such as Megascans) when performing testing on any of our digital marketplace products (Such as Fab).\n*  ==When testing for findings, you will not flood email forms, public forums, publish insensitive or illegal content, or any other publicly consumable content in a way that may have an adverse affect on user experience.==\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n______________________________________________________________________________________________________________________\nDisclosure Guidelines\n=============\n______________________________________________________________________________________________________________________\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nYou understand that any media used to support your report should only be shared through HackerOne, and that the use of any public hosting service will be considered as unpermitted disclosure and could cause the report to be considered ineligible for bounties. If there is a need for use of a separate hosting service, please reach out to the program team for further instructions.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n______________________________________________________________________________________________________________________\nBounty Examples\n=============\n______________________________________________________________________________________________________________________\nPlease review the table below for examples of severity categories. These examples don't guarantee any bounties or severity ratings for any reports, and should only be considered as a guideline:\n\n###General\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, other core infrastructure endpoints, or another player’s computer|$25,000||\n|Authentication bypass on Epic Games Store Accounts|$25,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|$15,000|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|$15,000| |\n|Payment process bypass|$15,000|Complete purchases in-store or in-game without payment|\n|Privilege escalation on in-scope Epic services|$7,500|\n|Product price altering|$5,000|Complete purchases in-store or in-game with a modified price. Ex. Buy a $10 item for $1|\n|Web Cache Poisoning|$500|Denial of service through cache poisoning|\n  \n\n###Fortnite\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Being able to enumerate the server IP address of another player in real-time.|$15,000|Online game modes, primarily ranked modes.|\n|Being able to crash a server that you are not a member of|$10,000||\n|Being able to modify a game characteristic in a previously unknown and unique way to give you a considerable gameplay advantage|$10,000|* non-custom Solo BR match|\n|Being able to crash other people|$15,000|Severity will be assessed based on if they are part of your social party, friends or strangers.|\n|Being able to crash a server you are a member of|$5,000||\n  \n###Easy Anti Cheat\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Local privilege escalation using the anti-cheat service or driver|$10,000||\n|Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory|$5,000||\n|Implementation details of a previously unknown and unique method for preventing anti-cheat detections|$5,000||\n|Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers|$5,000||\n  \n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nWe generally follow the OWASP Top 10 Application Security Risks, however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. \nEligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n______________________________________________________________________________________________________________________\nOut of Scope\n============\n______________________________________________________________________________________________________________________\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Distributed Denial of Service attacks\n* Fortnite UEFN Live Edit Session Crashes are considered out of scope\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF, DKIM, and DMARC records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets)  \n\n______________________________________________________________________________________________________________________\nHackerOne Platform Standards Deviations:\n============\n______________________________________________________________________________________________________________________\n\n* Vulnerable Network Connection in Client Applications: Vulnerabilities that require being on the same network as a victim (“Man-In-The-Middle” -MITM- attack) will be considered on a case by case basis.\n\n* Insecure Direct Object Reference (IDOR) vulnerability reports will be accepted only if the researcher is able to demonstrate a way to reliably obtain/guess/craft target IDs, or when demonstrating a High severity Impact.\n\n______________________________________________________________________________________________________________________\nAdditional Notes\n============\n______________________________________________________________________________________________________________________\n* For different attack vectors that result in the same mitigation, we reserve the right to reward the first report that is validated for that fix. All subsequent reports addressed by that mitigation will be considered duplicates, regardless of the attack vector.\n\n\n* Missing or faulty Rate-limit issues will only be considered valid when affecting login or critical account related requests, and these do not include any form of 2FA. In case the 2FA control in place is also vulnerable, the issue will be assessed on a case by case basis.\nA valid PoC will also be required to contain:\n      * Proof of at least 1000 accepted requests by the server in a very short time-frame.\n      * Proof of successful login or completion of operation after said 1000+ requests.\n\n* Web Cache Poisoning/Deception issues will only be considered valid when:\n     * You’ll be able to prove that exploitation of the issue impacts other users (different IP, browser, etc.)\n     * It's possible to make this attack persistent for multiple targets\n\n* Any exploitable Zero Day vulnerabilities will only be valid if also reported to the corresponding maintainer or owner of said software/service. Zero day findings are not eligible for awards unless discovered on an in-scope asset more than 30 days after the zero day has been disclosed to the public.\n\n* Cache poisoning-based denial of service attacks will be classified as low severity. If the resulting impact causes a significant service disruption for our players and/or creators then the severity will be re-evaluated.\n\n* Findings deriving on application based Denial of Service (DoS) will only be valid when not relying on volumetric attacks and triaged based on factors including ease to exploit, impact, notoriety of the impacted service(s), and importance of the affected service.\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Epic Games is continually working to protect our players, data, products, and services. We understand that there is an incredible community of talented security researchers who can  help further strengthen our security, so we're thrilled to run this program.\nIf you've found a vulnerability, please submit it so we can assess it. We look forward to any and all vulnerabilities you may find!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-08-05T19:11:54.918Z"},{"id":3754658,"new_policy":"_____________________________________________________________________________________________________________________\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n###Program Eligibility\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n* Employees, former employees that separated from the company within the prior 18 months, interns, contingent workers, contractors and their personnel, or consultants of Epic Games or its subsidiaries, as well as persons living in the same household and their immediate family members, are not eligible to receive bounties or rewards of any kind under the Epic Games program \n\n###What's allowed/permitted\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n###What's not allowed/not permitted\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n###Legal\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may, at our sole discretion, result in ineligibility for bounties and/or removal from the program.\n______________________________________________________________________________________________________________________\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\n**What's required**\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* Where applicable, you should use the following custom HTTP header during testing: X-Bug-Bounty: Hackerone-\u003cusername\u003e to  differentiate your requests from those from normal users. Example:  X-Bug-Bounty: Hackerone-FlyingToasters. Additional custom headers may be added to differentiate between tests or reports.\n* Whenever possible, your reports should include as much information as possible regarding your tests and environment. For example: AccountID, IP, SessionID, Client Version, Client Log File, Date and Time, etc.\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n* You may not use any Epic created content (such as Megascans) when performing testing on any of our digital marketplace products (Such as Fab).\n*  ==When testing for findings, you will not flood email forms, public forums, publish insensitive or illegal content, or any other publicly consumable content in a way that may have an adverse affect on user experience.==\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n______________________________________________________________________________________________________________________\nDisclosure Guidelines\n=============\n______________________________________________________________________________________________________________________\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nYou understand that any media used to support your report should only be shared through HackerOne, and that the use of any public hosting service will be considered as unpermitted disclosure and could cause the report to be considered ineligible for bounties. If there is a need for use of a separate hosting service, please reach out to the program team for further instructions.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n______________________________________________________________________________________________________________________\nBounty Examples\n=============\n______________________________________________________________________________________________________________________\nPlease review the table below for examples of severity categories. These examples don't guarantee any bounties or severity ratings for any reports, and should only be considered as a guideline:\n\n###General\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, other core infrastructure endpoints, or another player’s computer|$25,000||\n|Authentication bypass on Epic Games Store Accounts|$25,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|$15,000|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|$15,000| |\n|Payment process bypass|$15,000|Complete purchases in-store or in-game without payment|\n|Privilege escalation on in-scope Epic services|$7,500|\n|Product price altering|$5,000|Complete purchases in-store or in-game with a modified price. Ex. Buy a $10 item for $1|\n|Web Cache Poisoning|$1,000|Denial of service through cache poisoning|\n  \n\n###Fortnite\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Being able to enumerate the server IP address of another player in real-time.|$15,000|Online game modes, primarily ranked modes.|\n|Being able to crash a server that you are not a member of|$10,000||\n|Being able to modify a game characteristic in a previously unknown and unique way to give you a considerable gameplay advantage|$10,000|* non-custom Solo BR match|\n|Being able to crash other people|$15,000|Severity will be assessed based on if they are part of your social party, friends or strangers.|\n|Being able to crash a server you are a member of|$5,000||\n  \n###Easy Anti Cheat\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Local privilege escalation using the anti-cheat service or driver|$10,000||\n|Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory|$5,000||\n|Implementation details of a previously unknown and unique method for preventing anti-cheat detections|$5,000||\n|Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers|$5,000||\n  \n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nWe generally follow the OWASP Top 10 Application Security Risks, however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. \nEligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n______________________________________________________________________________________________________________________\nOut of Scope\n============\n______________________________________________________________________________________________________________________\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Distributed Denial of Service attacks\n* Fortnite UEFN Live Edit Session Crashes are considered out of scope\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF, DKIM, and DMARC records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets)  \n\n______________________________________________________________________________________________________________________\nHackerOne Platform Standards Deviations:\n============\n______________________________________________________________________________________________________________________\n\n* Vulnerable Network Connection in Client Applications: Vulnerabilities that require being on the same network as a victim (“Man-In-The-Middle” -MITM- attack) will be considered on a case by case basis.\n\n* Insecure Direct Object Reference (IDOR) vulnerability reports will be accepted only if the researcher is able to demonstrate a way to reliably obtain/guess/craft target IDs, or when demonstrating a High severity Impact.\n\n______________________________________________________________________________________________________________________\nAdditional Notes\n============\n______________________________________________________________________________________________________________________\n* For different attack vectors that result in the same mitigation, we reserve the right to reward the first report that is validated for that fix. All subsequent reports addressed by that mitigation will be considered duplicates, regardless of the attack vector.\n\n\n* Missing or faulty Rate-limit issues will only be considered valid when affecting login or critical account related requests, and these do not include any form of 2FA. In case the 2FA control in place is also vulnerable, the issue will be assessed on a case by case basis.\nA valid PoC will also be required to contain:\n      * Proof of at least 1000 accepted requests by the server in a very short time-frame.\n      * Proof of successful login or completion of operation after said 1000+ requests.\n\n* Web Cache Poisoning/Deception issues will only be considered valid when:\n     * You’ll be able to prove that exploitation of the issue impacts other users (different IP, browser, etc.)\n     * It's possible to make this attack persistent for multiple targets\n\n* Any exploitable Zero Day vulnerabilities will only be valid if also reported to the corresponding maintainer or owner of said software/service. Zero day findings are not eligible for awards unless discovered on an in-scope asset more than 30 days after the zero day has been disclosed to the public.\n\n* Findings deriving on application based Denial of Service (DoS) will only be valid when not relying on volumetric attacks and triaged based on factors including ease to exploit, impact, notoriety of the impacted service(s), and importance of the affected service.\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Epic Games is continually working to protect our players, data, products, and services. We understand that there is an incredible community of talented security researchers who can  help further strengthen our security, so we're thrilled to run this program.\nIf you've found a vulnerability, please submit it so we can assess it. We look forward to any and all vulnerabilities you may find!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-04-30T18:35:37.941Z"},{"id":3754098,"new_policy":"_____________________________________________________________________________________________________________________\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n###Program Eligibility\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n* Employees, former employees that separated from the company within the prior 18 months, interns, contingent workers, contractors and their personnel, or consultants of Epic Games or its subsidiaries, as well as persons living in the same household and their immediate family members, are not eligible to receive bounties or rewards of any kind under the Epic Games program \n\n###What's allowed/permitted\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n###What's not allowed/not permitted\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n###Legal\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may, at our sole discretion, result in ineligibility for bounties and/or removal from the program.\n______________________________________________________________________________________________________________________\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\n**What's required**\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* Where applicable, you should use the following custom HTTP header during testing: X-Bug-Bounty: Hackerone-\u003cusername\u003e to  differentiate your requests from those from normal users. Example:  X-Bug-Bounty: Hackerone-FlyingToasters. Additional custom headers may be added to differentiate between tests or reports.\n* Whenever possible, your reports should include as much information as possible regarding your tests and environment. For example: AccountID, IP, SessionID, Client Version, Client Log File, Date and Time, etc.\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n* You may not use any Epic created content (such as Megascans) when performing testing on any of our digital marketplace products (Such as Fab).\n*  ==When testing for findings, you will not flood email forms, public forums, publish insensitive or illegal content, or any other publicly consumable content in a way that may have an adverse affect on user experience.==\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n______________________________________________________________________________________________________________________\nDisclosure Guidelines\n=============\n______________________________________________________________________________________________________________________\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nYou understand that any media used to support your report should only be shared through HackerOne, and that the use of any public hosting service will be considered as unpermitted disclosure and could cause the report to be considered ineligible for bounties. If there is a need for use of a separate hosting service, please reach out to the program team for further instructions.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n______________________________________________________________________________________________________________________\nBounty Examples\n=============\n______________________________________________________________________________________________________________________\nPlease review the table below for examples of severity categories. These examples don't guarantee any bounties or severity ratings for any reports, and should only be considered as a guideline:\n\n###General\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, other core infrastructure endpoints, or another player’s computer|$25,000||\n|Authentication bypass on Epic Games Store Accounts|$25,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|$15,000|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|$15,000| |\n|Payment process bypass|$15,000|Complete purchases in-store or in-game without payment|\n|Privilege escalation on in-scope Epic services|$7,500|\n|Product price altering|$5,000|Complete purchases in-store or in-game with a modified price. Ex. Buy a $10 item for $1|\n  \n\n###Fortnite\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Being able to enumerate the server IP address of another player in real-time.|$15,000|Online game modes, primarily ranked modes.|\n|Being able to crash a server that you are not a member of|$10,000||\n|Being able to modify a game characteristic in a previously unknown and unique way to give you a considerable gameplay advantage|$10,000|* non-custom Solo BR match|\n|Being able to crash other people|$15,000|Severity will be assessed based on if they are part of your social party, friends or strangers.|\n|Being able to crash a server you are a member of|$5,000||\n  \n###Easy Anti Cheat\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Local privilege escalation using the anti-cheat service or driver|$10,000||\n|Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory|$5,000||\n|Implementation details of a previously unknown and unique method for preventing anti-cheat detections|$5,000||\n|Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers|$5,000||\n  \n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nWe generally follow the OWASP Top 10 Application Security Risks, however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. \nEligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n______________________________________________________________________________________________________________________\nOut of Scope\n============\n______________________________________________________________________________________________________________________\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Denial of Service / Distributed Denial of Service attacks\n* Fortnite UEFN Live Edit Session Crashes are considered out of scope\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF, DKIM, and DMARC records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets)  \n\n______________________________________________________________________________________________________________________\nHackerOne Platform Standards Deviations:\n============\n______________________________________________________________________________________________________________________\n\n* Vulnerable Network Connection in Client Applications: Vulnerabilities that require being on the same network as a victim (“Man-In-The-Middle” -MITM- attack) will be considered on a case by case basis.\n\n* Insecure Direct Object Reference (IDOR) vulnerability reports will be accepted only if the researcher is able to demonstrate a way to reliably obtain/guess/craft target IDs, or when demonstrating a High severity Impact.\n\n______________________________________________________________________________________________________________________\nAdditional Notes\n============\n______________________________________________________________________________________________________________________\n* For different attack vectors that result in the same mitigation, we reserve the right to reward the first report that is validated for that fix. All subsequent reports addressed by that mitigation will be considered duplicates, regardless of the attack vector.\n\n\n* Missing or faulty Rate-limit issues will only be considered valid when affecting login or critical account related requests, and these do not include any form of 2FA. In case the 2FA control in place is also vulnerable, the issue will be assessed on a case by case basis.\nA valid PoC will also be required to contain:\n      * Proof of at least 1000 accepted requests by the server in a very short time-frame.\n      * Proof of successful login or completion of operation after said 1000+ requests.\n\n* Web Cache Poisoning/Deception issues will only be considered valid when:\n     * You’ll be able to prove that exploitation of the issue impacts other users (different IP, browser, etc.)\n     * It's possible to make this attack persistent for multiple targets\n\n* Any exploitable Zero Day vulnerabilities will only be valid if also reported to the corresponding maintainer or owner of said software/service. Zero day findings are not eligible for awards unless discovered on an in-scope asset more than 30 days after the zero day has been disclosed to the public.\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Epic Games is continually working to protect our players, data, products, and services. We understand that there is an incredible community of talented security researchers who can  help further strengthen our security, so we're thrilled to run this program.\nIf you've found a vulnerability, please submit it so we can assess it. We look forward to any and all vulnerabilities you may find!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-04-21T19:08:21.126Z"},{"id":3745324,"new_policy":"_____________________________________________________________________________________________________________________\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n###Program Eligibility\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n* Employees, former employees that separated from the company within the prior 18 months, interns, contingent workers, contractors and their personnel, or consultants of Epic Games or its subsidiaries, as well as persons living in the same household and their immediate family members, are not eligible to receive bounties or rewards of any kind under the Epic Games program \n\n###What's allowed/permitted\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n###What's not allowed/not permitted\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n###Legal\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may, at our sole discretion, result in ineligibility for bounties and/or removal from the program.\n______________________________________________________________________________________________________________________\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\n**What's required**\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* Where applicable, you should use the following custom HTTP header during testing: X-Bug-Bounty: Hackerone-\u003cusername\u003e to  differentiate your requests from those from normal users. Example:  X-Bug-Bounty: Hackerone-FlyingToasters. Additional custom headers may be added to differentiate between tests or reports.\n* Whenever possible, your reports should include as much information as possible regarding your tests and environment. For example: AccountID, IP, SessionID, Client Version, Client Log File, Date and Time, etc.\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n* You may not use any Epic created content (such as Megascans) when performing testing on any of our digital marketplace products (Such as Fab).\n*  ==When testing for findings, you will not flood email forms, public forums, publish insensitive or illegal content, or any other publicly consumable content in a way that may have an adverse affect on user experience.==\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n______________________________________________________________________________________________________________________\nDisclosure Guidelines\n=============\n______________________________________________________________________________________________________________________\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nYou understand that any media used to support your report should only be shared through HackerOne, and that the use of any public hosting service will be considered as unpermitted disclosure and could cause the report to be considered ineligible for bounties. If there is a need for use of a separate hosting service, please reach out to the program team for further instructions.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n______________________________________________________________________________________________________________________\nBounty Examples\n=============\n______________________________________________________________________________________________________________________\nPlease review the table below for examples of severity categories. These examples don't guarantee any bounties or severity ratings for any reports, and should only be considered as a guideline:\n\n###General\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, other core infrastructure endpoints, or another player’s computer|$25,000||\n|Authentication bypass on Epic Games Store Accounts|$25,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|$15,000|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|$15,000| |\n|Payment process bypass|$15,000|Complete purchases in-store or in-game without payment|\n|Privilege escalation on in-scope Epic services|$7,500|\n|Product price altering|$5,000|Complete purchases in-store or in-game with a modified price. Ex. Buy a $10 item for $1|\n  \n\n###Fortnite\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Being able to enumerate the server IP address of another player in real-time.|$15,000|Online game modes, primarily ranked modes.|\n|Being able to crash a server that you are not a member of|$10,000||\n|Being able to modify a game characteristic in a previously unknown and unique way to give you a considerable gameplay advantage|$10,000|* non-custom Solo BR match|\n|Being able to crash other people|$15,000|Severity will be assessed based on if they are part of your social party, friends or strangers.|\n|Being able to crash a server you are a member of|$5,000||\n  \n###Easy Anti Cheat\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Local privilege escalation using the anti-cheat service or driver|$10,000||\n|Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory|$5,000||\n|Implementation details of a previously unknown and unique method for preventing anti-cheat detections|$5,000||\n|Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers|$5,000||\n  \n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nWe generally follow the OWASP Top 10 Application Security Risks, however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. \nEligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n______________________________________________________________________________________________________________________\nOut of Scope\n============\n______________________________________________________________________________________________________________________\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Denial of Service / Distributed Denial of Service attacks\n* Fortnite UEFN Live Edit Session Crashes are considered out of scope\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF, DKIM, and DMARC records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets)  \n\n______________________________________________________________________________________________________________________\nHackerOne Platform Standards Deviations:\n============\n______________________________________________________________________________________________________________________\n\n* Vulnerable Network Connection in Client Applications: Vulnerabilities that require being on the same network as a victim (“Man-In-The-Middle” -MITM- attack) will be considered on a case by case basis.\n\n* Insecure Direct Object Reference (IDOR) vulnerability reports will be accepted only if the researcher is able to demonstrate a way to reliably obtain/guess/craft target IDs, or when demonstrating a High severity Impact.\n\n______________________________________________________________________________________________________________________\nAdditional Notes\n============\n______________________________________________________________________________________________________________________\n* For different attack vectors that result in the same mitigation, we reserve the right to reward the first report that is validated for that fix. All subsequent reports addressed by that mitigation will be considered duplicates, regardless of the attack vector.\n\n\n* Missing or faulty Rate-limit issues will only be considered valid when affecting login or critical account related requests, and these do not include any form of 2FA. In case the 2FA control in place is also vulnerable, the issue will be assessed on a case by case basis.\nA valid PoC will also be required to contain:\n      * Proof of at least 1000 accepted requests by the server in a very short time-frame.\n      * Proof of successful login or completion of operation after said 1000+ requests.\n\n* Web Cache Poisoning/Deception issues will only be considered valid when:\n     * You’ll be able to prove that exploitation of the issue impacts other users (different IP, browser, etc.)\n     * It's possible to make this attack persistent for multiple targets\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Epic Games is continually working to protect our players, data, products, and services. We understand that there is an incredible community of talented security researchers who can  help further strengthen our security, so we're thrilled to run this program.\nIf you've found a vulnerability, please submit it so we can assess it. We look forward to any and all vulnerabilities you may find!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-11-26T21:00:58.421Z"},{"id":3744935,"new_policy":"_____________________________________________________________________________________________________________________\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n###Program Eligibility\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n* Employees, or former employees that separated from the company within the prior 18 months, contingent workers, contractors and their personnel, or consultants of Epic Games or its subsidiaries, as well as persons living in the same household and their immediate family members, are not eligible to receive bounties or rewards of any kind under the Epic Games program.\n\n###What's allowed/permitted\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n###What's not allowed/not permitted\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n###Legal\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may, at our sole discretion, result in ineligibility for bounties and/or removal from the program.\n______________________________________________________________________________________________________________________\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\n**What's required**\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* Where applicable, you should use the following custom HTTP header during testing: X-Bug-Bounty: Hackerone-\u003cusername\u003e to  differentiate your requests from those from normal users. Example:  X-Bug-Bounty: Hackerone-FlyingToasters. Additional custom headers may be added to differentiate between tests or reports.\n* Whenever possible, your reports should include as much information as possible regarding your tests and environment. For example: AccountID, IP, SessionID, Client Version, Client Log File, Date and Time, etc.\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n* You may not use any Epic created content (such as Megascans) when performing testing on any of our digital marketplace products (Such as Fab).\n*  ==When testing for findings, you will not flood email forms, public forums, publish insensitive or illegal content, or any other publicly consumable content in a way that may have an adverse affect on user experience.==\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n______________________________________________________________________________________________________________________\nDisclosure Guidelines\n=============\n______________________________________________________________________________________________________________________\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nYou understand that any media used to support your report should only be shared through HackerOne, and that the use of any public hosting service will be considered as unpermitted disclosure and could cause the report to be considered ineligible for bounties. If there is a need for use of a separate hosting service, please reach out to the program team for further instructions.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n______________________________________________________________________________________________________________________\nBounty Examples\n=============\n______________________________________________________________________________________________________________________\nPlease review the table below for examples of severity categories. These examples don't guarantee any bounties or severity ratings for any reports, and should only be considered as a guideline:\n\n###General\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, other core infrastructure endpoints, or another player’s computer|$25,000||\n|Authentication bypass on Epic Games Store Accounts|$25,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|$15,000|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|$15,000| |\n|Payment process bypass|$15,000|Complete purchases in-store or in-game without payment|\n|Privilege escalation on in-scope Epic services|$7,500|\n|Product price altering|$5,000|Complete purchases in-store or in-game with a modified price. Ex. Buy a $10 item for $1|\n  \n\n###Fortnite\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Being able to enumerate the server IP address of another player in real-time.|$15,000|Online game modes, primarily ranked modes.|\n|Being able to crash a server that you are not a member of|$10,000||\n|Being able to modify a game characteristic in a previously unknown and unique way to give you a considerable gameplay advantage|$10,000|* non-custom Solo BR match|\n|Being able to crash other people|$15,000|Severity will be assessed based on if they are part of your social party, friends or strangers.|\n|Being able to crash a server you are a member of|$5,000||\n  \n###Easy Anti Cheat\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Local privilege escalation using the anti-cheat service or driver|$10,000||\n|Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory|$5,000||\n|Implementation details of a previously unknown and unique method for preventing anti-cheat detections|$5,000||\n|Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers|$5,000||\n  \n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nWe generally follow the OWASP Top 10 Application Security Risks, however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. \nEligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n______________________________________________________________________________________________________________________\nOut of Scope\n============\n______________________________________________________________________________________________________________________\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Denial of Service / Distributed Denial of Service attacks\n* Fortnite UEFN Live Edit Session Crashes are considered out of scope\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF, DKIM, and DMARC records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets)  \n\n______________________________________________________________________________________________________________________\nHackerOne Platform Standards Deviations:\n============\n______________________________________________________________________________________________________________________\n\n* Vulnerable Network Connection in Client Applications: Vulnerabilities that require being on the same network as a victim (“Man-In-The-Middle” -MITM- attack) will be considered on a case by case basis.\n\n* Insecure Direct Object Reference (IDOR) vulnerability reports will be accepted only if the researcher is able to demonstrate a way to reliably obtain/guess/craft target IDs, or when demonstrating a High severity Impact.\n\n______________________________________________________________________________________________________________________\nAdditional Notes\n============\n______________________________________________________________________________________________________________________\n* For different attack vectors that result in the same mitigation, we reserve the right to reward the first report that is validated for that fix. All subsequent reports addressed by that mitigation will be considered duplicates, regardless of the attack vector.\n\n\n* Missing or faulty Rate-limit issues will only be considered valid when affecting login or critical account related requests, and these do not include any form of 2FA. In case the 2FA control in place is also vulnerable, the issue will be assessed on a case by case basis.\nA valid PoC will also be required to contain:\n      * Proof of at least 1000 accepted requests by the server in a very short time-frame.\n      * Proof of successful login or completion of operation after said 1000+ requests.\n\n* Web Cache Poisoning/Deception issues will only be considered valid when:\n     * You’ll be able to prove that exploitation of the issue impacts other users (different IP, browser, etc.)\n     * It's possible to make this attack persistent for multiple targets\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Epic Games is continually working to protect our players, data, products, and services. We understand that there is an incredible community of talented security researchers who can  help further strengthen our security, so we're thrilled to run this program.\nIf you've found a vulnerability, please submit it so we can assess it. We look forward to any and all vulnerabilities you may find!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-11-20T13:49:26.622Z"},{"id":3743465,"new_policy":"_____________________________________________________________________________________________________________________\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n###Program Eligibility\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n* Employees, or former employees that separated from the company within the prior 18 months, contingent workers, contractors and their personnel, or consultants of Epic Games or its subsidiaries, as well as persons living in the same household and their immediate family members, are not eligible to receive bounties or rewards of any kind under the Epic Games program.\n\n###What's allowed/permitted\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n###What's not allowed/not permitted\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n###Legal\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may, at our sole discretion, result in ineligibility for bounties and/or removal from the program.\n______________________________________________________________________________________________________________________\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\n**What's required**\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* Where applicable, you should use the following custom HTTP header during testing: X-Bug-Bounty: Hackerone-\u003cusername\u003e to  differentiate your requests from those from normal users. Example:  X-Bug-Bounty: Hackerone-FlyingToasters. Additional custom headers may be added to differentiate between tests or reports.\n* Whenever possible, your reports should include as much information as possible regarding your tests and environment. For example: AccountID, IP, SessionID, Client Version, Client Log File, Date and Time, etc.\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n* You may not use any Epic created content (such as Megascans) when performing testing on any of our digital marketplace products (Such as Fab).\n*  ==When testing for findings, you will not flood email forms, public forums, publish insensitive or illegal content, or any other publicly consumable content in a way that may have an adverse affect on user experience.==\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n______________________________________________________________________________________________________________________\nDisclosure Guidelines\n=============\n______________________________________________________________________________________________________________________\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nYou understand that any media used to support your report should only be shared through HackerOne, and that the use of any public hosting service will be considered as unpermitted disclosure and could cause the report to be considered ineligible for bounties. If there is a need for use of a separate hosting service, please reach out to the program team for further instructions.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n______________________________________________________________________________________________________________________\nBounty Examples\n=============\n______________________________________________________________________________________________________________________\nPlease review the table below for examples of severity categories. These examples don't guarantee any bounties or severity ratings for any reports, and should only be considered as a guideline:\n\n###General\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, other core infrastructure endpoints, or another player’s computer|$25,000||\n|Authentication bypass on Epic Games Store Accounts|$25,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|$15,000|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|$15,000| |\n|Payment process bypass|$15,000|Complete purchases in-store or in-game without payment|\n|Privilege escalation on in-scope Epic services|$7,500|\n|Product price altering|$5,000|Complete purchases in-store or in-game with a modified price. Ex. Buy a $10 item for $1|\n  \n\n###Fortnite\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Being able to enumerate the server IP address of another player in real-time.|$15,000|Online game modes, primarily ranked modes.|\n|Being able to crash a server that you are not a member of|$10,000||\n|Being able to modify a game characteristic in a previously unknown and unique way to give you a considerable gameplay advantage|$10,000|* non-custom Solo BR match|\n|Being able to crash other people|$15,000|Severity will be assessed based on if they are part of your social party, friends or strangers.|\n|Being able to crash a server you are a member of|$5,000||\n  \n###Easy Anti Cheat\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Local privilege escalation using the anti-cheat service or driver|$10,000||\n|Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory|$5,000||\n|Implementation details of a previously unknown and unique method for preventing anti-cheat detections|$5,000||\n|Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers|$5,000||\n  \n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nWe generally follow the OWASP Top 10 Application Security Risks, however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. \nEligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n______________________________________________________________________________________________________________________\nOut of Scope\n============\n______________________________________________________________________________________________________________________\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Denial of Service / Distributed Denial of Service attacks\n* Fortnite UEFN Live Edit Session Crashes are considered out of scope\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF, DKIM, and DMARC records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets)  \n\n______________________________________________________________________________________________________________________\nHackerOne Platform Standards Deviations:\n============\n______________________________________________________________________________________________________________________\n\n* Vulnerable Network Connection in Client Applications: Vulnerabilities that require being on the same network as a victim (“Man-In-The-Middle” -MITM- attack) will be considered on a case by case basis.\n\n* Insecure Direct Object Reference (IDOR) vulnerability reports will be accepted only if the researcher is able to demonstrate a way to reliably obtain/guess/craft target IDs, or when demonstrating a High severity Impact.\n\n______________________________________________________________________________________________________________________\nAdditional Notes\n============\n______________________________________________________________________________________________________________________\n* For different attack vectors that result in the same mitigation, we reserve the right to reward the first report that is validated for that fix. All subsequent reports addressed by that mitigation will be considered duplicates, regardless of the attack vector.\n\n\n* Missing or faulty Rate-limit issues will only be considered valid when affecting login or critical account related requests, and these do not include any form of 2FA. In case the 2FA control in place is also vulnerable, the issue will be assessed on a case by case basis.\nA valid PoC will also be required to contain:\n      * Proof of at least 1000 accepted requests by the server in a very short time-frame.\n      * Proof of successful login or completion of operation after said 1000+ requests.\n\n* Web Cache Poisoning/Deception issues will only be considered valid when:\n     * You’ll be able to prove that exploitation of the issue impacts other users (different IP, browser, etc.)\n     * It's possible to make this attack persistent for multiple targets\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Epic Games is continually working to protect our players, data, products, and services. We understand that there is an incredible community of talented security researchers who can  help further strengthen our security, so we're thrilled to run this program.\nIf you've found a vulnerability, please submit it so we can assess it. We look forward to to any and all vulnerabilities you may find!","platform_standards_exclusions":["{\"platform_standard\":\"VULNERABLE_NETWORK_CONNECTION_IN_CLIENT_APPLICATIONS\",\"justification\":\"Vulnerabilities that require being on the same network as a victim (“Man-In-The-Middle” -MITM- attack) will be considered on a case by case basis.\"}","{\"platform_standard\":\"IDOR\",\"justification\":\"Insecure Direct Object Reference (IDOR) vulnerability reports will be accepted only if the researcher is able to demonstrate a way to reliably obtain/guess/craft target IDs, or when demonstrating a High severity Impact.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-11-01T15:45:04.903Z"},{"id":3743401,"new_policy":"_____________________________________________________________________________________________________________________\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n###Program Eligibility\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n* Employees, or former employees that separated from the company within the prior 18 months, contingent workers, contractors and their personnel, or consultants of Epic Games or its subsidiaries, as well as persons living in the same household and their immediate family members, are not eligible to receive bounties or rewards of any kind under the Epic Games program.\n\n###What's allowed/permitted\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n###What's not allowed/not permitted\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n###Legal\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may, at our sole discretion, result in ineligibility for bounties and/or removal from the program.\n______________________________________________________________________________________________________________________\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\n**What's required**\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* Where applicable, you should use the following custom HTTP header during testing: X-Bug-Bounty: Hackerone-\u003cusername\u003e to  differentiate your requests from those from normal users. Example:  X-Bug-Bounty: Hackerone-FlyingToasters. Additional custom headers may be added to differentiate between tests or reports.\n* Whenever possible, your reports should include as much information as possible regarding your tests and environment. For example: AccountID, IP, SessionID, Client Version, Client Log File, Date and Time, etc.\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n*  ==When testing for findings, you will not flood email forms, public forums, publish insensitive or illegal content, or any other publicly consumable content in a way that may have an adverse affect on user experience.==\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n______________________________________________________________________________________________________________________\nDisclosure Guidelines\n=============\n______________________________________________________________________________________________________________________\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nYou understand that any media used to support your report should only be shared through HackerOne, and that the use of any public hosting service will be considered as unpermitted disclosure and could cause the report to be considered ineligible for bounties. If there is a need for use of a separate hosting service, please reach out to the program team for further instructions.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n______________________________________________________________________________________________________________________\nBounty Examples\n=============\n______________________________________________________________________________________________________________________\nPlease review the table below for examples of severity categories. These examples don't guarantee any bounties or severity ratings for any reports, and should only be considered as a guideline:\n\n###General\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, other core infrastructure endpoints, or another player’s computer|$25,000||\n|Authentication bypass on Epic Games Store Accounts|$25,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|$15,000|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|$15,000| |\n|Payment process bypass|$15,000|Complete purchases in-store or in-game without payment|\n|Privilege escalation on in-scope Epic services|$7,500|\n|Product price altering|$5,000|Complete purchases in-store or in-game with a modified price. Ex. Buy a $10 item for $1|\n  \n\n###Fortnite\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Being able to enumerate the server IP address of another player in real-time.|$15,000|Online game modes, primarily ranked modes.|\n|Being able to crash a server that you are not a member of|$10,000||\n|Being able to modify a game characteristic in a previously unknown and unique way to give you a considerable gameplay advantage|$10,000|* non-custom Solo BR match|\n|Being able to crash other people|$15,000|Severity will be assessed based on if they are part of your social party, friends or strangers.|\n|Being able to crash a server you are a member of|$5,000||\n  \n###Easy Anti Cheat\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Local privilege escalation using the anti-cheat service or driver|$10,000||\n|Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory|$5,000||\n|Implementation details of a previously unknown and unique method for preventing anti-cheat detections|$5,000||\n|Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers|$5,000||\n  \n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nWe generally follow the OWASP Top 10 Application Security Risks, however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. \nEligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n______________________________________________________________________________________________________________________\nOut of Scope\n============\n______________________________________________________________________________________________________________________\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Denial of Service / Distributed Denial of Service attacks\n* Fortnite UEFN Live Edit Session Crashes are considered out of scope\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF, DKIM, and DMARC records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets)  \n\n______________________________________________________________________________________________________________________\nHackerOne Platform Standards Deviations:\n============\n______________________________________________________________________________________________________________________\n\n* Vulnerable Network Connection in Client Applications: Vulnerabilities that require being on the same network as a victim (“Man-In-The-Middle” -MITM- attack) will be considered on a case by case basis.\n\n* Insecure Direct Object Reference (IDOR) vulnerability reports will be accepted only if the researcher is able to demonstrate a way to reliably obtain/guess/craft target IDs, or when demonstrating a High severity Impact.\n\n______________________________________________________________________________________________________________________\nAdditional Notes\n============\n______________________________________________________________________________________________________________________\n* For different attack vectors that result in the same mitigation, we reserve the right to reward the first report that is validated for that fix. All subsequent reports addressed by that mitigation will be considered duplicates, regardless of the attack vector.\n\n\n* Missing or faulty Rate-limit issues will only be considered valid when affecting login or critical account related requests, and these do not include any form of 2FA. In case the 2FA control in place is also vulnerable, the issue will be assessed on a case by case basis.\nA valid PoC will also be required to contain:\n      * Proof of at least 1000 accepted requests by the server in a very short time-frame.\n      * Proof of successful login or completion of operation after said 1000+ requests.\n\n* Web Cache Poisoning/Deception issues will only be considered valid when:\n     * You’ll be able to prove that exploitation of the issue impacts other users (different IP, browser, etc.)\n     * It's possible to make this attack persistent for multiple targets\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Epic Games is continually working to protect our players, data, products, and services. We understand that there is an incredible community of talented security researchers who can  help further strengthen our security, so we're thrilled to run this program.\nIf you've found a vulnerability, please submit it so we can assess it. We look forward to to any and all vulnerabilities you may find!","platform_standards_exclusions":["{\"platform_standard\":\"VULNERABLE_NETWORK_CONNECTION_IN_CLIENT_APPLICATIONS\",\"justification\":\"Vulnerabilities that require being on the same network as a victim (“Man-In-The-Middle” -MITM- attack) will be considered on a case by case basis.\"}","{\"platform_standard\":\"IDOR\",\"justification\":\"Insecure Direct Object Reference (IDOR) vulnerability reports will be accepted only if the researcher is able to demonstrate a way to reliably obtain/guess/craft target IDs, or when demonstrating a High severity Impact.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-10-31T18:49:04.930Z"},{"id":3741495,"new_policy":"_____________________________________________________________________________________________________________________\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n###Program Eligibility\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n* Employees, or former employees that separated from the company within the prior 18 months, contingent workers, contractors and their personnel, or consultants of Epic Games or its subsidiaries, as well as persons living in the same household and their immediate family members, are not eligible to receive bounties or rewards of any kind under the Epic Games program.\n\n###What's allowed/permitted\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n###What's not allowed/not permitted\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n###Legal\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may, at our sole discretion, result in ineligibility for bounties and/or removal from the program.\n______________________________________________________________________________________________________________________\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\n**What's required**\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* Where applicable, you should use the following custom HTTP header during testing: X-Bug-Bounty: Hackerone-\u003cusername\u003e to  differentiate your requests from those from normal users. Example:  X-Bug-Bounty: Hackerone-FlyingToasters. Additional custom headers may be added to differentiate between tests or reports.\n* Whenever possible, your reports should include as much information as possible regarding your tests and environment. For example: AccountID, IP, SessionID, Client Version, Client Log File, Date and Time, etc.\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n*  ==When testing for findings, you will not flood email forms, public forums, or other publicly consumable content as this will have an adverse affect on user experience==\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n______________________________________________________________________________________________________________________\nDisclosure Guidelines\n=============\n______________________________________________________________________________________________________________________\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nYou understand that any media used to support your report should only be shared through HackerOne, and that the use of any public hosting service will be considered as unpermitted disclosure and could cause the report to be considered ineligible for bounties. If there is a need for use of a separate hosting service, please reach out to the program team for further instructions.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n______________________________________________________________________________________________________________________\nBounty Examples\n=============\n______________________________________________________________________________________________________________________\nPlease review the table below for examples of severity categories. These examples don't guarantee any bounties or severity ratings for any reports, and should only be considered as a guideline:\n\n###General\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, other core infrastructure endpoints, or another player’s computer|$25,000||\n|Authentication bypass on Epic Games Store Accounts|$25,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|$15,000|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|$15,000| |\n|Payment process bypass|$15,000|Complete purchases in-store or in-game without payment|\n|Privilege escalation on in-scope Epic services|$7,500|\n|Product price altering|$5,000|Complete purchases in-store or in-game with a modified price. Ex. Buy a $10 item for $1|\n  \n\n###Fortnite\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Being able to enumerate the server IP address of another player in real-time.|$15,000|Online game modes, primarily ranked modes.|\n|Being able to crash a server that you are not a member of|$10,000||\n|Being able to modify a game characteristic in a previously unknown and unique way to give you a considerable gameplay advantage|$10,000|* non-custom Solo BR match|\n|Being able to crash other people|$15,000|Severity will be assessed based on if they are part of your social party, friends or strangers.|\n|Being able to crash a server you are a member of|$5,000||\n  \n###Easy Anti Cheat\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Local privilege escalation using the anti-cheat service or driver|$10,000||\n|Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory|$5,000||\n|Implementation details of a previously unknown and unique method for preventing anti-cheat detections|$5,000||\n|Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers|$5,000||\n  \n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nWe generally follow the OWASP Top 10 Application Security Risks, however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. \nEligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n______________________________________________________________________________________________________________________\nOut of Scope\n============\n______________________________________________________________________________________________________________________\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Denial of Service / Distributed Denial of Service attacks\n* Fortnite UEFN Live Edit Session Crashes are considered out of scope\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF, DKIM, and DMARC records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets)  \n\n______________________________________________________________________________________________________________________\nHackerOne Platform Standards Deviations:\n============\n______________________________________________________________________________________________________________________\n\n* Vulnerable Network Connection in Client Applications: Vulnerabilities that require being on the same network as a victim (“Man-In-The-Middle” -MITM- attack) will be considered on a case by case basis.\n\n* Insecure Direct Object Reference (IDOR) vulnerability reports will be accepted only if the researcher is able to demonstrate a way to reliably obtain/guess/craft target IDs, or when demonstrating a High severity Impact.\n\n______________________________________________________________________________________________________________________\nAdditional Notes\n============\n______________________________________________________________________________________________________________________\n* For different attack vectors that result in the same mitigation, we reserve the right to reward the first report that is validated for that fix. All subsequent reports addressed by that mitigation will be considered duplicates, regardless of the attack vector.\n\n\n* Missing or faulty Rate-limit issues will only be considered valid when affecting login or critical account related requests, and these do not include any form of 2FA. In case the 2FA control in place is also vulnerable, the issue will be assessed on a case by case basis.\nA valid PoC will also be required to contain:\n      * Proof of at least 1000 accepted requests by the server in a very short time-frame.\n      * Proof of successful login or completion of operation after said 1000+ requests.\n\n* Web Cache Poisoning/Deception issues will only be considered valid when:\n     * You’ll be able to prove that exploitation of the issue impacts other users (different IP, browser, etc.)\n     * It's possible to make this attack persistent for multiple targets\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Epic Games is continually working to protect our players, data, products, and services. We understand that there is an incredible community of talented security researchers who can  help further strengthen our security, so we're thrilled to run this program.\nIf you've found a vulnerability, please submit it so we can assess it. We look forward to to any and all vulnerabilities you may find!","platform_standards_exclusions":["{\"platform_standard\":\"VULNERABLE_NETWORK_CONNECTION_IN_CLIENT_APPLICATIONS\",\"justification\":\"Vulnerabilities that require being on the same network as a victim (“Man-In-The-Middle” -MITM- attack) will be considered on a case by case basis.\"}","{\"platform_standard\":\"IDOR\",\"justification\":\"Insecure Direct Object Reference (IDOR) vulnerability reports will be accepted only if the researcher is able to demonstrate a way to reliably obtain/guess/craft target IDs, or when demonstrating a High severity Impact.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-10-08T23:18:13.691Z"},{"id":3732561,"new_policy":"_____________________________________________________________________________________________________________________\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n###Program Eligibility\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n* Employees, or former employees that separated from the company within the prior 18 months, contingent workers, contractors and their personnel, or consultants of Epic Games or its subsidiaries, as well as persons living in the same household and their immediate family members, are not eligible to receive bounties or rewards of any kind under the Epic Games program.\n\n###What's allowed/permitted\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n###What's not allowed/not permitted\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n###Legal\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may, at our sole discretion, result in ineligibility for bounties and/or removal from the program.\n______________________________________________________________________________________________________________________\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\n**What's required**\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* Where applicable, you should use the following custom HTTP header during testing: X-Bug-Bounty: Hackerone-\u003cusername\u003e to  differentiate your requests from those from normal users. Example:  X-Bug-Bounty: Hackerone-FlyingToasters. Additional custom headers may be added to differentiate between tests or reports.\n* Whenever possible, your reports should include as much information as possible regarding your tests and environment. For example: AccountID, IP, SessionID, Client Version, Client Log File, Date and Time, etc.\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n*  ==When testing for findings, you will not flood email forms, public forums, or other publicly consumable content as this will have an adverse affect on user experience==\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n______________________________________________________________________________________________________________________\nDisclosure Guidelines\n=============\n______________________________________________________________________________________________________________________\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nYou understand that any media used to support your report should only be shared through HackerOne, and that the use of any public hosting service will be considered as unpermitted disclosure and could cause the report to be considered ineligible for bounties. If there is a need for use of a separate hosting service, please reach out to the program team for further instructions.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n______________________________________________________________________________________________________________________\nBounty Examples\n=============\n______________________________________________________________________________________________________________________\nPlease review the table below for examples of severity categories. These examples don't guarantee any bounties or severity ratings for any reports, and should only be considered as a guideline:\n\n###General\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, other core infrastructure endpoints, or another player’s computer|$25,000||\n|Authentication bypass on Epic Games Store Accounts|$25,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|$15,000|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|$15,000| |\n|Payment process bypass|$15,000|Complete purchases in-store or in-game without payment|\n|Privilege escalation on in-scope Epic services|$7,500|\n|Product price altering|$5,000|Complete purchases in-store or in-game with a modified price. Ex. Buy a $10 item for $1|\n  \n\n###Fortnite\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Being able to enumerate the server IP address of another player in real-time.|$15,000|Online game modes, primarily ranked modes.|\n|Being able to crash a server that you are not a member of|$10,000||\n|Being able to modify a game characteristic in a previously unknown and unique way to give you a considerable gameplay advantage|$10,000|* non-custom Solo BR match|\n|Being able to crash other people|$15,000|Severity will be assessed based on if they are part of your social party, friends or strangers.|\n|Being able to crash a server you are a member of|$5,000||\n  \n###Easy Anti Cheat\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Local privilege escalation using the anti-cheat service or driver|$10,000||\n|Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory|$5,000||\n|Implementation details of a previously unknown and unique method for preventing anti-cheat detections|$5,000||\n|Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers|$5,000||\n  \n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nWe generally follow the OWASP Top 10 Application Security Risks, however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. \nEligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n______________________________________________________________________________________________________________________\nOut of Scope\n============\n______________________________________________________________________________________________________________________\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Denial of Service / Distributed Denial of Service attacks\n* Fortnite UEFN Live Edit Session Crashes are considered out of scope\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF, DKIM, and DMARC records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets)  \n\n______________________________________________________________________________________________________________________\nHackerOne Platform Standards Deviations:\n============\n______________________________________________________________________________________________________________________\n\n* Vulnerable Network Connection in Client Applications: Vulnerabilities that require being on the same network as a victim (“Man-In-The-Middle” -MITM- attack) will be considered on a case by case basis.\n\n* Insecure Direct Object Reference (IDOR) vulnerability reports will be accepted only if the researcher is able to demonstrate a way to reliably obtain/guess/craft target IDs, or when demonstrating a High severity Impact.\n\n______________________________________________________________________________________________________________________\nAdditional Notes\n============\n______________________________________________________________________________________________________________________\n* For different attack vectors that result in the same mitigation, we reserve the right to reward the first report that is validated for that fix. All subsequent reports addressed by that mitigation will be considered duplicates, regardless of the attack vector.\n\n\n* Missing or faulty Rate-limit issues will only be considered valid when affecting login or critical account related requests, and these do not include any form of 2FA. In case the 2FA control in place is also vulnerable, the issue will be assessed on a case by case basis.\nA valid PoC will also be required to contain:\n      * Proof of at least 1000 accepted requests by the server in a very short time-frame.\n      * Proof of successful login or completion of operation after said 1000+ requests.\n\n* Web Cache Poisoning/Deception issues will only be considered valid when:\n     * You’ll be able to prove that exploitation of the issue impacts other users (different IP, browser, etc.)\n     * It's possible to make this attack persistent for multiple targets\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Epic Games is continually working to protect our players, data, products, and services. We understand that there is an incredible community of talented security researchers who can  help further strengthen our security, so we're thrilled to run this program.\nIf you've found a vulnerability, please submit it so we can assess it. We look forward to to any and all vulnerabilities you may find!","platform_standards_exclusions":["VULNERABLE_NETWORK_CONECTION_IN_CLIENT_APPLICATIONS","IDOR"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-16T20:23:16.641Z"},{"id":3732557,"new_policy":"_____________________________________________________________________________________________________________________\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n###Program Eligibility\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n* Employees, or former employees that separated from the company within the prior 18 months, contingent workers, contractors and their personnel, or consultants of Epic Games or its subsidiaries, as well as persons living in the same household and their immediate family members, are not eligible to receive bounties or rewards of any kind under the Epic Games program.\n\n###What's allowed/permitted\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n###What's not allowed/not permitted\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n###Legal\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may, at our sole discretion, result in ineligibility for bounties and/or removal from the program.\n______________________________________________________________________________________________________________________\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\n**What's required**\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* Where applicable, you should use the following custom HTTP header during testing: X-Bug-Bounty: Hackerone-\u003cusername\u003e to  differentiate your requests from those from normal users. Example:  X-Bug-Bounty: Hackerone-FlyingToasters. Additional custom headers may be added to differentiate between tests or reports.\n* Whenever possible, your reports should include as much information as possible regarding your tests and environment. For example: AccountID, IP, SessionID, Client Version, Client Log File, Date and Time, etc.\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n*  ==When testing for findings, you will not flood email forms, public forums, or other publicly consumable content as this will have an adverse affect on user experience==\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n______________________________________________________________________________________________________________________\nDisclosure Guidelines\n=============\n______________________________________________________________________________________________________________________\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nYou understand that any media used to support your report should only be shared through HackerOne, and that the use of any public hosting service will be considered as unpermitted disclosure and could cause the report to be considered ineligible for bounties. If there is a need for use of a separate hosting service, please reach out to the program team for further instructions.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n______________________________________________________________________________________________________________________\nBounty Examples\n=============\n______________________________________________________________________________________________________________________\nPlease review the table below for examples of severity categories. These examples don't guarantee any bounties or severity ratings for any reports, and should only be considered as a guideline:\n\n###General\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, other core infrastructure endpoints, or another player’s computer|$25,000||\n|Authentication bypass on Epic Games Store Accounts|$25,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|$15,000|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|$15,000| |\n|Payment process bypass|$15,000|Complete purchases in-store or in-game without payment|\n|Privilege escalation on in-scope Epic services|$7,500|\n|Product price altering|$5,000|Complete purchases in-store or in-game with a modified price. Ex. Buy a $10 item for $1|\n  \n\n###Fortnite\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Being able to enumerate the server IP address of another player in real-time.|$15,000|Online game modes, primarily ranked modes.|\n|Being able to crash a server that you are not a member of|$10,000||\n|Being able to modify a game characteristic in a previously unknown and unique way to give you a considerable gameplay advantage|$10,000|* non-custom Solo BR match|\n|Being able to crash other people|$15,000|Severity will be assessed based on if they are part of your social party, friends or strangers.|\n|Being able to crash a server you are a member of|$5,000||\n  \n###Easy Anti Cheat\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Local privilege escalation using the anti-cheat service or driver|$10,000||\n|Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory|$5,000||\n|Implementation details of a previously unknown and unique method for preventing anti-cheat detections|$5,000||\n|Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers|$5,000||\n  \n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nWe generally follow the OWASP Top 10 Application Security Risks, however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. \nEligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n______________________________________________________________________________________________________________________\nOut of Scope\n============\n______________________________________________________________________________________________________________________\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Denial of Service / Distributed Denial of Service attacks\n* Fortnite UEFN Live Edit Session Crashes are considered out of scope\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF, DKIM, and DMARC records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets)  \n\n______________________________________________________________________________________________________________________\nHackerOne Platform Standards Deviations:\n============\n______________________________________________________________________________________________________________________\n\n* Vulnerable Network Connection in Client Applications: Vulnerabilities that require being on the same network as a victim (“Man-In-The-Middle” -MITM- attack) will be considered on a case by case basis.\n\n* Insecure Direct Object Reference (IDOR) vulnerability reports will be accepted only if the researcher is able to demonstrate a way to reliably obtain/guess/craft target IDs, or when demonstrating a High severity Impact.\n\n______________________________________________________________________________________________________________________\nAdditional Notes\n============\n______________________________________________________________________________________________________________________\n* For different attack vectors that result in the same mitigation, we reserve the right to reward the first report that is validated for that fix. All subsequent reports addressed by that mitigation will be considered duplicates, regardless of the attack vector.\n\n\n* Missing or faulty Rate-limit issues will only be considered valid when affecting login or critical account related requests, and these do not include any form of 2FA. In case the 2FA control in place is also vulnerable, the issue will be assessed on a case by case basis.\nA valid PoC will also be required to contain:\n      * Proof of at least 1000 accepted requests by the server in a very short time-frame.\n      * Proof of successful login or completion of operation after said 1000+ requests.\n\n* Web Cache Poisoning/Deception issues will only be considered valid when:\n     * You’ll be able to prove that exploitation of the issue impacts other users (different IP, browser, etc.)\n     * It's possible to make this attack persistent for multiple targets\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Epic Games is continually working to protect our players, data, products, and services. We understand that there is an incredible community of talented security researchers who can  help further strengthen our security, so we're thrilled to run this program.\nIf you've found a vulnerability, please submit it so we can assess it. We look forward to to any and all vulnerabilities you may find!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-16T20:08:55.917Z"},{"id":3732556,"new_policy":"_____________________________________________________________________________________________________________________\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n###Program Eligibility\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n* Employees, or former employees that separated from the company within the prior 18 months, contingent workers, contractors and their personnel, or consultants of Epic Games or its subsidiaries, as well as persons living in the same household and their immediate family members, are not eligible to receive bounties or rewards of any kind under the Epic Games program.\n\n###What's allowed/permitted\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n###What's not allowed/not permitted\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n###Legal\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may, at our sole discretion, result in ineligibility for bounties and/or removal from the program.\n______________________________________________________________________________________________________________________\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\n**What's required**\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* Where applicable, you should use the following custom HTTP header during testing: X-Bug-Bounty: Hackerone-\u003cusername\u003e to  differentiate your requests from those from normal users. Example:  X-Bug-Bounty: Hackerone-FlyingToasters. Additional custom headers may be added to differentiate between tests or reports.\n* Whenever possible, your reports should include as much information as possible regarding your tests and environment. For example: AccountID, IP, SessionID, Client Version, Client Log File, Date and Time, etc.\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n*  ==When testing for findings, you will not flood email forms, public forums, or other publicly consumable content as this will have an adverse affect on user experience==\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n______________________________________________________________________________________________________________________\nDisclosure Guidelines\n=============\n______________________________________________________________________________________________________________________\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nYou understand that any media used to support your report should only be shared through HackerOne, and that the use of any public hosting service will be considered as unpermitted disclosure and could cause the report to be considered ineligible for bounties. If there is a need for use of a separate hosting service, please reach out to the program team for further instructions.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n______________________________________________________________________________________________________________________\nBounty Examples\n=============\n______________________________________________________________________________________________________________________\nPlease review the table below for examples of severity categories. These examples don't guarantee any bounties or severity ratings for any reports, and should only be considered as a guideline:\n\n###General\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, other core infrastructure endpoints, or another player’s computer|$25,000||\n|Authentication bypass on Epic Games Store Accounts|$25,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|$15,000|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|$15,000| |\n|Payment process bypass|$15,000|Complete purchases in-store or in-game without payment|\n|Privilege escalation on in-scope Epic services|$7,500|\n|Product price altering|$5,000|Complete purchases in-store or in-game with a modified price. Ex. Buy a $10 item for $1|\n  \n\n###Fortnite\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Being able to enumerate the server IP address of another player in real-time.|$15,000|Online game modes, primarily ranked modes.|\n|Being able to crash a server that you are not a member of|$10,000||\n|Being able to modify a game characteristic in a previously unknown and unique way to give you a considerable gameplay advantage|$10,000|* non-custom Solo BR match|\n|Being able to crash other people|$15,000|Severity will be assessed based on if they are part of your social party, friends or strangers.|\n|Being able to crash a server you are a member of|$5,000||\n  \n###Easy Anti Cheat\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Local privilege escalation using the anti-cheat service or driver|$10,000||\n|Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory|$5,000||\n|Implementation details of a previously unknown and unique method for preventing anti-cheat detections|$5,000||\n|Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers|$5,000||\n  \n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nWe generally follow the OWASP Top 10 Application Security Risks, however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. \nEligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n______________________________________________________________________________________________________________________\nOut of Scope\n============\n______________________________________________________________________________________________________________________\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Denial of Service / Distributed Denial of Service attacks\n* Fortnite UEFN Live Edit Session Crashes are considered out of scope\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF, DKIM, and DMARC records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets)  \n\n______________________________________________________________________________________________________________________\nHackerOne Platform Standards Deviations:\n============\n______________________________________________________________________________________________________________________\n\n* Vulnerable Network Connection in Client Applications: Vulnerabilities that require being on the same network as a victim (“Man-In-The-Middle” -MITM- attack) will be considered on a case by case basis.\n\n* Insecure Direct Object Reference (IDOR) vulnerability reports will be accepted only if the researcher is able to demonstrate a way to reliably obtain/guess/craft target IDs, or when demonstrating a High severity Impact.\n\n______________________________________________________________________________________________________________________\nAdditional Notes\n============\n______________________________________________________________________________________________________________________\n* For different attack vectors that result in the same mitigation, we reserve the right to reward the first report that is validated for that fix. All subsequent reports addressed by that mitigation will be considered duplicates, regardless of the attack vector.\n\n\n* Missing or faulty Rate-limit issues will only be considered valid when affecting login or critical account related requests, and these do not include any form of 2FA. In case the 2FA control in place is also vulnerable, the issue will be assessed on a case by case basis.\nA valid PoC will also be required to contain:\n      * Proof of at least 1000 accepted requests by the server in a very short time-frame.\n      * Proof of successful login or completion of operation after said 1000+ requests.\n\n* Web Cache Poisoning/Deception issues will only be considered valid when:\n     * You’ll be able to prove that exploitation of the issue impacts other users (different IP, browser, etc.)\n     * It's possible to make this attack persistent for multiple targets\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Epic Games is continually working to protect our players, data, products, and services. We understand that there is an incredible community of talented security researchers who can  help further strengthen our security, so we're thrilled to run this program.\nIf you've found a vulnerability, please submit it so we can assess it. We look forward to to any and all vulnerabilities you may find!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-16T20:08:49.103Z"},{"id":3732555,"new_policy":"_____________________________________________________________________________________________________________________\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n###Program Eligibility\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n* Employees, or former employees that separated from the company within the prior 18 months, contingent workers, contractors and their personnel, or consultants of Epic Games or its subsidiaries, as well as persons living in the same household and their immediate family members, are not eligible to receive bounties or rewards of any kind under the Epic Games program.\n\n###What's allowed/permitted\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n###What's not allowed/not permitted\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n###Legal\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may, at our sole discretion, result in ineligibility for bounties and/or removal from the program.\n______________________________________________________________________________________________________________________\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\n**What's required**\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* Where applicable, you should use the following custom HTTP header during testing: X-Bug-Bounty: Hackerone-\u003cusername\u003e to  differentiate your requests from those from normal users. Example:  X-Bug-Bounty: Hackerone-FlyingToasters. Additional custom headers may be added to differentiate between tests or reports.\n* Whenever possible, your reports should include as much information as possible regarding your tests and environment. For example: AccountID, IP, SessionID, Client Version, Client Log File, Date and Time, etc.\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n*  ==When testing for findings, you will not flood email forms, public forums, or other publicly consumable content as this will have an adverse affect on user experience==\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n______________________________________________________________________________________________________________________\nDisclosure Guidelines\n=============\n______________________________________________________________________________________________________________________\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nYou understand that any media used to support your report should only be shared through HackerOne, and that the use of any public hosting service will be considered as unpermitted disclosure and could cause the report to be considered ineligible for bounties. If there is a need for use of a separate hosting service, please reach out to the program team for further instructions.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n______________________________________________________________________________________________________________________\nBounty Examples\n=============\n______________________________________________________________________________________________________________________\nPlease review the table below for examples of severity categories. These examples don't guarantee any bounties or severity ratings for any reports, and should only be considered as a guideline:\n\n###General\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, other core infrastructure endpoints, or another player’s computer|$25,000||\n|Authentication bypass on Epic Games Store Accounts|$25,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|$15,000|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|$15,000| |\n|Payment process bypass|$15,000|Complete purchases in-store or in-game without payment|\n|Privilege escalation on in-scope Epic services|$7,500|\n|Product price altering|$5,000|Complete purchases in-store or in-game with a modified price. Ex. Buy a $10 item for $1|\n  \n\n###Fortnite\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Being able to enumerate the server IP address of another player in real-time.|$15,000|Online game modes, primarily ranked modes.|\n|Being able to crash a server that you are not a member of|$10,000||\n|Being able to modify a game characteristic in a previously unknown and unique way to give you a considerable gameplay advantage|$10,000|* non-custom Solo BR match|\n|Being able to crash other people|$15,000|Severity will be assessed based on if they are part of your social party, friends or strangers.|\n|Being able to crash a server you are a member of|$5,000||\n  \n###Easy Anti Cheat\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Local privilege escalation using the anti-cheat service or driver|$10,000||\n|Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory|$5,000||\n|Implementation details of a previously unknown and unique method for preventing anti-cheat detections|$5,000||\n|Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers|$5,000||\n  \n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nWe generally follow the OWASP Top 10 Application Security Risks, however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. \nEligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n______________________________________________________________________________________________________________________\nOut of Scope\n============\n______________________________________________________________________________________________________________________\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Denial of Service / Distributed Denial of Service attacks\n* Fortnite UEFN Live Edit Session Crashes are considered out of scope\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF, DKIM, and DMARC records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets)  \n\n______________________________________________________________________________________________________________________\nHackerOne Platform Standards Deviations:\n============\n______________________________________________________________________________________________________________________\n\n* Vulnerable Network Connection in Client Applications: Vulnerabilities that require being on the same network as a victim (“Man-In-The-Middle” -MITM- attack) will be considered on a case by case basis.\n\n* Insecure Direct Object Reference (IDOR) vulnerability reports will be accepted only if the researcher is able to demonstrate a way to reliably obtain/guess/craft target IDs, or when demonstrating a High severity Impact.\n\n______________________________________________________________________________________________________________________\nAdditional Notes\n============\n______________________________________________________________________________________________________________________\n* For different attack vectors that result in the same mitigation, we reserve the right to reward the first report that is validated for that fix. All subsequent reports addressed by that mitigation will be considered duplicates, regardless of the attack vector.\n\n\n* Missing or faulty Rate-limit issues will only be considered valid when affecting login or critical account related requests, and these do not include any form of 2FA. In case the 2FA control in place is also vulnerable, the issue will be assessed on a case by case basis.\nA valid PoC will also be required to contain:\n      * Proof of at least 1000 accepted requests by the server in a very short time-frame.\n      * Proof of successful login or completion of operation after said 1000+ requests.\n\n* Web Cache Poisoning/Deception issues will only be considered valid when:\n     * You’ll be able to prove that exploitation of the issue impacts other users (different IP, browser, etc.)\n     * It's possible to make this attack persistent for multiple targets\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-16T20:04:31.860Z"},{"id":3730934,"new_policy":"\nEpic Games recognizes how important strong security is. The Information Security Team at Epic Games is continually working to protect our players, data, products, and services. Our team understands that there is an incredible community of talented security researchers who want to help further strengthen our security, so we're thrilled to run this HackerOne program in order to help strengthen our security.\n\nIf you think you've found a vulnerability, please submit it to us so we can assess and process it. We look forward to any and all potential vulnerabilities you may find!  \n\n______________________________________________________________________________________________________________________\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n###Program Eligibility\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n* Employees, or former employees that separated from the company within the prior 18 months, contingent workers, contractors and their personnel, or consultants of Epic Games or its subsidiaries, as well as persons living in the same household and their immediate family members, are not eligible to receive bounties or rewards of any kind under the Epic Games program.\n\n###What's allowed/permitted\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n###What's not allowed/not permitted\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n###Legal\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may, at our sole discretion, result in ineligibility for bounties and/or removal from the program.\n______________________________________________________________________________________________________________________\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\n**What's required**\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* Where applicable, you should use the following custom HTTP header during testing: X-Bug-Bounty: Hackerone-\u003cusername\u003e to  differentiate your requests from those from normal users. Example:  X-Bug-Bounty: Hackerone-FlyingToasters. Additional custom headers may be added to differentiate between tests or reports.\n* Whenever possible, your reports should include as much information as possible regarding your tests and environment. For example: AccountID, IP, SessionID, Client Version, Client Log File, Date and Time, etc.\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n*  ==When testing for findings, you will not flood email forms, public forums, or other publicly consumable content as this will have an adverse affect on user experience==\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n______________________________________________________________________________________________________________________\nDisclosure Guidelines\n=============\n______________________________________________________________________________________________________________________\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nYou understand that any media used to support your report should only be shared through HackerOne, and that the use of any public hosting service will be considered as unpermitted disclosure and could cause the report to be considered ineligible for bounties. If there is a need for use of a separate hosting service, please reach out to the program team for further instructions.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n______________________________________________________________________________________________________________________\nBounty Examples\n=============\n______________________________________________________________________________________________________________________\nPlease review the table below for examples of severity categories. These examples don't guarantee any bounties or severity ratings for any reports, and should only be considered as a guideline:\n\n###General\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, other core infrastructure endpoints, or another player’s computer|$25,000||\n|Authentication bypass on Epic Games Store Accounts|$25,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|$15,000|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|$15,000| |\n|Payment process bypass|$15,000|Complete purchases in-store or in-game without payment|\n|Privilege escalation on in-scope Epic services|$7,500|\n|Product price altering|$5,000|Complete purchases in-store or in-game with a modified price. Ex. Buy a $10 item for $1|\n  \n\n###Fortnite\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Being able to enumerate the server IP address of another player in real-time.|$15,000|Online game modes, primarily ranked modes.|\n|Being able to crash a server that you are not a member of|$10,000||\n|Being able to modify a game characteristic in a previously unknown and unique way to give you a considerable gameplay advantage|$10,000|* non-custom Solo BR match|\n|Being able to crash other people|$15,000|Severity will be assessed based on if they are part of your social party, friends or strangers.|\n|Being able to crash a server you are a member of|$5,000||\n  \n###Easy Anti Cheat\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Local privilege escalation using the anti-cheat service or driver|$10,000||\n|Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory|$5,000||\n|Implementation details of a previously unknown and unique method for preventing anti-cheat detections|$5,000||\n|Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers|$5,000||\n  \n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nWe generally follow the OWASP Top 10 Application Security Risks, however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. \nEligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n______________________________________________________________________________________________________________________\nOut of Scope\n============\n______________________________________________________________________________________________________________________\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Denial of Service / Distributed Denial of Service attacks\n* Fortnite UEFN Live Edit Session Crashes are considered out of scope\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF, DKIM, and DMARC records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets)  \n\n______________________________________________________________________________________________________________________\nHackerOne Platform Standards Deviations:\n============\n______________________________________________________________________________________________________________________\n\n* Vulnerable Network Connection in Client Applications: Vulnerabilities that require being on the same network as a victim (“Man-In-The-Middle” -MITM- attack) will be considered on a case by case basis.\n\n* Insecure Direct Object Reference (IDOR) vulnerability reports will be accepted only if the researcher is able to demonstrate a way to reliably obtain/guess/craft target IDs, or when demonstrating a High severity Impact.\n\n______________________________________________________________________________________________________________________\nAdditional Notes\n============\n______________________________________________________________________________________________________________________\n* For different attack vectors that result in the same mitigation, we reserve the right to reward the first report that is validated for that fix. All subsequent reports addressed by that mitigation will be considered duplicates, regardless of the attack vector.\n\n\n* Missing or faulty Rate-limit issues will only be considered valid when affecting login or critical account related requests, and these do not include any form of 2FA. In case the 2FA control in place is also vulnerable, the issue will be assessed on a case by case basis.\nA valid PoC will also be required to contain:\n      * Proof of at least 1000 accepted requests by the server in a very short time-frame.\n      * Proof of successful login or completion of operation after said 1000+ requests.\n\n* Web Cache Poisoning/Deception issues will only be considered valid when:\n     * You’ll be able to prove that exploitation of the issue impacts other users (different IP, browser, etc.)\n     * It's possible to make this attack persistent for multiple targets\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-25T19:48:13.115Z"},{"id":3724730,"new_policy":"\nEpic Games recognizes how important strong security is. The Information Security Team at Epic Games is continually working to protect our players, data, products, and services. Our team understands that there is an incredible community of talented security researchers who want to help further strengthen our security, so we're thrilled to run this HackerOne program in order to help strengthen our security.\n\nIf you think you've found a vulnerability, please submit it to us so we can assess and process it. We look forward to any and all potential vulnerabilities you may find!  \n\n______________________________________________________________________________________________________________________\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n###Program Eligibility\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n* Employees, or former employees that separated from the company within the prior 18 months, contingent workers, contractors and their personnel, or consultants of Epic Games or its subsidiaries, as well as persons living in the same household and their immediate family members, are not eligible to receive bounties or rewards of any kind under the Epic Games program.\n\n###What's allowed/permitted\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n###What's not allowed/not permitted\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n###Legal\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may, at our sole discretion, result in ineligibility for bounties and/or removal from the program.\n______________________________________________________________________________________________________________________\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\n**What's required**\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* Where applicable, you should use the following custom HTTP header during testing: X-Bug-Bounty: Hackerone-\u003cusername\u003e to  differentiate your requests from those from normal users. Example:  X-Bug-Bounty: Hackerone-FlyingToasters. Additional custom headers may be added to differentiate between tests or reports.\n* Whenever possible, your reports should include as much information as possible regarding your tests and environment. For example: AccountID, IP, SessionID, Client Version, Client Log File, Date and Time, etc.\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n*  ==When testing for findings, you will not flood email forms, public forums, or other publicly consumable content as this will have an adverse affect on user experience==\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n______________________________________________________________________________________________________________________\nDisclosure Guidelines\n=============\n______________________________________________________________________________________________________________________\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n______________________________________________________________________________________________________________________\nBounty Examples\n=============\n______________________________________________________________________________________________________________________\nPlease review the table below for examples of severity categories:\n\n###General\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, other core infrastructure endpoints, or another player’s computer|$25,000||\n|Authentication bypass on Epic Games Store Accounts|$25,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|$15,000|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|$15,000| |\n|Payment process bypass|$15,000|Complete purchases in-store or in-game without payment|\n|Privilege escalation on in-scope Epic services|$7,500|\n|Product price altering|$5,000|Complete purchases in-store or in-game with a modified price. Ex. Buy a $10 item for $1|\n  \n\n###Fortnite\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Being able to enumerate the server IP address of another player in real-time.|$15,000|Online game modes, primarily ranked modes.|\n|Being able to crash a server that you are not a member of|$10,000||\n|Being able to modify a game characteristic in a previously unknown and unique way to give you a considerable gameplay advantage|$10,000|* non-custom Solo BR match|\n|Being able to crash other people|$15,000|Severity will be assessed based on if they are part of your social party, friends or strangers.|\n|Being able to crash a server you are a member of|$5,000||\n  \n###Easy Anti Cheat\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Local privilege escalation using the anti-cheat service or driver|$10,000||\n|Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory|$5,000||\n|Implementation details of a previously unknown and unique method for preventing anti-cheat detections|$5,000||\n|Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers|$5,000||\n  \n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nWe generally follow the OWASP Top 10 Application Security Risks, however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. \nEligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n______________________________________________________________________________________________________________________\nOut of Scope\n============\n______________________________________________________________________________________________________________________\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Denial of Service / Distributed Denial of Service attacks\n* Fortnite UEFN Live Edit Session Crashes are considered out of scope\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF, DKIM, and DMARC records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets)  \n\n______________________________________________________________________________________________________________________\nHackerOne Platform Standards Deviations:\n============\n______________________________________________________________________________________________________________________\n\n* Vulnerable Network Connection in Client Applications: Vulnerabilities that require being on the same network as a victim (“Man-In-The-Middle” -MITM- attack) will be considered on a case by case basis.\n\n* Insecure Direct Object Reference (IDOR) vulnerability reports will be accepted only if the researcher is able to demonstrate a way to reliably obtain/guess/craft target IDs, or when demonstrating a High severity Impact.\n\n______________________________________________________________________________________________________________________\nAdditional Notes\n============\n______________________________________________________________________________________________________________________\n* For different attack vectors that result in the same mitigation, we reserve the right to reward the first report that is validated for that fix. All subsequent reports addressed by that mitigation will be considered duplicates, regardless of the attack vector.\n\n\n* Missing or faulty Rate-limit issues will only be considered valid when affecting login or critical account related requests, and these do not include any form of 2FA. In case the 2FA control in place is also vulnerable, the issue will be assessed on a case by case basis.\nA valid PoC will also be required to contain:\n      * Proof of at least 1000 accepted requests by the server in a very short time-frame.\n      * Proof of successful login or completion of operation after said 1000+ requests.\n\n* Web Cache Poisoning/Deception issues will only be considered valid when:\n     * You’ll be able to prove that exploitation of the issue impacts other users (different IP, browser, etc.)\n     * It's possible to make this attack persistent for multiple targets\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-02T14:56:57.099Z"},{"id":3721821,"new_policy":"\nEpic Games recognizes how important strong security is. The Information Security Team at Epic Games is continually working to protect our players, data, products, and services. Our team understands that there is an incredible community of talented security researchers who want to help further strengthen our security, so we're thrilled to run this HackerOne program in order to help strengthen our security.\n\nIf you think you've found a vulnerability, please submit it to us so we can assess and process it. We look forward to any and all potential vulnerabilities you may find!  \n\n______________________________________________________________________________________________________________________\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n###Program Eligibility\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n* Employees, or former employees that separated from the company within the prior 18 months, contingent workers, contractors and their personnel, or consultants of Epic Games or its subsidiaries, as well as persons living in the same household and their immediate family members, are not eligible to receive bounties or rewards of any kind under the Epic Games program.\n\n###What's allowed/permitted\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n###What's not allowed/not permitted\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n###Legal\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may, at our sole discretion, result in ineligibility for bounties and/or removal from the program.\n______________________________________________________________________________________________________________________\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\n**What's required**\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* Where applicable, you should use the following custom HTTP header during testing: X-Bug-Bounty: Hackerone-\u003cusername\u003e to  differentiate your requests from those from normal users. Example:  X-Bug-Bounty: Hackerone-FlyingToasters. Additional custom headers may be added to differentiate between tests or reports.\n* Whenever possible, your reports should include as much information as possible regarding your tests and environment. For example: AccountID, IP, SessionID, Client Version, Client Log File, Date and Time, etc.\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n*  ==When testing for findings, you will not flood email forms, public forums, or other publicly consumable content as this will have an adverse affect on user experience==\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n______________________________________________________________________________________________________________________\nDisclosure Guidelines\n=============\n______________________________________________________________________________________________________________________\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n______________________________________________________________________________________________________________________\nBounty Examples\n=============\n______________________________________________________________________________________________________________________\nPlease review the table below for examples of severity categories:\n\n###General\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, other core infrastructure endpoints, or another player’s computer|$25,000||\n|Authentication bypass on Epic Games Store Accounts|$25,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|$15,000|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|$15,000| |\n|Payment process bypass|$15,000|Complete purchases in-store or in-game without payment|\n|Privilege escalation on in-scope Epic services|$7,500|\n|Product price altering|$5,000|Complete purchases in-store or in-game with a modified price. Ex. Buy a $10 item for $1|\n  \n\n###Fortnite\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Being able to enumerate the server IP address of another player in real-time.|$15,000|Online game modes, primarily ranked modes.|\n|Being able to crash a server that you are not a member of|$10,000||\n|Being able to modify a game characteristic in a previously unknown and unique way to give you a considerable gameplay advantage|$10,000|* non-custom Solo BR match|\n|Being able to crash other people|$15,000|Severity will be assessed based on if they are part of your social party, friends or strangers.|\n|Being able to crash a server you are a member of|$5,000||\n  \n###Easy Anti Cheat\n|Description|Potential Bounty|Notes|\n|--|--|--|\n|Local privilege escalation using the anti-cheat service or driver|$10,000||\n|Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory|$5,000||\n|Implementation details of a previously unknown and unique method for preventing anti-cheat detections|$5,000||\n|Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers|$5,000||\n  \n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nWe generally follow the OWASP Top 10 Application Security Risks, however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. \nEligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n______________________________________________________________________________________________________________________\nOut of Scope\n============\n______________________________________________________________________________________________________________________\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Denial of Service / Distributed Denial of Service attacks\n* Fortnite UEFN Live Edit Session Crashes are considered out of scope\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF, DKIM, and DMARC records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets)  \n\n______________________________________________________________________________________________________________________\nAdditional Notes\n============\n______________________________________________________________________________________________________________________\n* For different attack vectors that result in the same mitigation, we reserve the right to reward the first report that is validated for that fix. All subsequent reports addressed by that mitigation will be considered duplicates, regardless of the attack vector.\n\n\n* Missing or faulty Rate-limit issues will only be considered valid when affecting login or critical account related requests, and these do not include any form of 2FA. In case the 2FA control in place is also vulnerable, the issue will be assessed on a case by case basis.\nA valid PoC will also be required to contain:\n      * Proof of at least 1000 accepted requests by the server in a very short time-frame.\n      * Proof of successful login or completion of operation after said 1000+ requests.\n\n* Web Cache Poisoning/Deception issues will only be considered valid when:\n     * You’ll be able to prove that exploitation of the issue impacts other users (different IP, browser, etc.)\n     * It's possible to make this attack persistent for multiple targets\n\n* Vulnerable Network Connection in Client Applications: Vulnerabilities that require being on the same network as a victim (“Man-In-The-Middle” -MITM- attack) will be considered on a case by case basis.\n\n\n* Insecure Direct Object Reference (IDOR) vulnerability reports will be accepted only if the researcher is able to demonstrate a way to reliably obtain/guess/craft target IDs, or when demonstrating a High severity Impact.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-28T17:29:34.350Z"},{"id":3721817,"new_policy":"\nEpic Games recognizes how important strong security is. The Information Security Team at Epic Games is continually working to protect our players, data, products, and services. Our team understands that there is an incredible community of talented security researchers who want to help further strengthen our security, so we're thrilled to run this HackerOne program in order to help strengthen our security.\n\nIf you think you've found a vulnerability, please submit it to us so we can assess and process it. We look forward to any and all potential vulnerabilities you may find!\n\n\n\n______________________________________________________________________________________________________________________\n\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n\n\n**1. Program Eligibility**\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n* Employees, or former employees that separated from the company within the prior 18 months, contingent workers, contractors and their personnel, or consultants of Epic Games or its subsidiaries, as well as persons living in the same household and their immediate family members, are not eligible to receive bounties or rewards of any kind under the Epic Games program.\n\n\n**2. What's allowed/permitted**\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n**3. What's not allowed/not permitted**\n* You may not submit reports from automated scanners and tools\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n**4. Legal**\n\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may result in removal from the program.\n\n\n\n______________________________________________________________________________________________________________________\n\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\nWhat's required\n=============\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n*  ==When testing for findings, you will not flood email forms, public forums, or other publicly consumable content as this will have an adverse affect on user experience==\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n\n______________________________________________________________________________________________________________________\nBounties\n=============\n______________________________________________________________________________________________________________________\nPlease review the table below for examples of severity categories:\n\n|Description|Severity|Potential Bounty|Notes|\n|--|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, and other core infrastructure endpoints|Critical|$15,000||\n|Authentication bypass on Epic Games Store Accounts|Critical|$15,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|Critical|$12,500|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|Critical|$10,000| |\n|Payment process bypass|Critical|$10,000|Complete purchases in-store or in-game without payment|\n|Remote code execution on Epic-owned in-scope assets running vBulletin|Critical|$5,000| |\n|Privilege escalation on in-scope Epic services|High|$7,500|\n\n______________________________________________________________________________________________________________________\nGame Security Severity Guidelines\n=====\n______________________________________________________________________________________________________________________\n\n## Fortnite:\n\n### Critical\n* Being able to enumerate the server IP address of another player in real-time. (Battle Royale)\n* Remote code execution on either the game server or another player’s computer\n\n### High\n* Being able to crash a server that you are not a member of\n* Being able to modify weapon or vehicle characteristics that give you a gameplay advantage in a traditional * non-custom Solo BR match\n\n### Medium\n* Being able to crash a server that you are a member of\n* Being able to crash people in your social party\n* Being able to modify interaction times on reviving players or using medkits\n\n### Low\n* Being able to modify interaction times on looting chests\n\n## Easy Anti-Cheat:\n\n### Critical\n* Remote code execution on either an associated backend server or another player’s computer\n* Remote denial of service by crashing anti-cheat components on another player’s computer\n\n### High\n* Local privilege escalation using the anti-cheat service or driver\n\n### Medium\n* Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory\n* Implementation details of a previously unknown and unique method for preventing anti-cheat detections\n* Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers\n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nValid scopes are listed in the Assets section below, which also lists additional information on architecture. We generally follow the OWASP Top 10 Application Security Risks (2017), however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. Eligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n______________________________________________________________________________________________________________________\nOut of Scope\n============\n______________________________________________________________________________________________________________________\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Denial of Service / Distributed Denial of Service attacks\n* Fortnite UEFN Live Edit Session Crashes are considered out of scope\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF, DKIM, and DMARC records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets)\n\n______________________________________________________________________________________________________________________\nAdditional Notes\n============\n______________________________________________________________________________________________________________________\n* For different attack vectors that result in the same mitigation, we reserve the right to reward the first report that is validated for that fix. All subsequent reports addressed by that mitigation will be considered duplicates, regardless of the attack vector.\n\n\n* Missing or faulty Rate-limit issues will only be considered valid when affecting login or critical account related requests, and these do not include any form of 2FA. In case the 2FA control in place is also vulnerable, the issue will be assessed on a case by case basis.\nA valid PoC will also be required to contain:\n      * Proof of at least 1000 accepted requests by the server in a very short time-frame.\n      * Proof of successful login or completion of operation after said 1000+ requests.\n\n* Web Cache Poisoning/Deception issues will only be considered valid when:\n     * You’ll be able to prove that exploitation of the issue impacts other users (different IP, browser, etc.)\n     * It's possible to make this attack persistent for multiple targets\n\n* Vulnerable Network Connection in Client Applications: Vulnerabilities that require being on the same network as a victim (“Man-In-The-Middle” -MITM- attack) will be considered on a case by case basis.\n\n\n* Insecure Direct Object Reference (IDOR) vulnerability reports will be accepted only if the researcher is able to demonstrate a way to reliably obtain/guess/craft target IDs, or when demonstrating a High severity Impact.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-28T16:42:04.709Z"},{"id":3704877,"new_policy":"\nEpic Games recognizes how important strong security is. The Information Security Team at Epic Games is continually working to protect our players, data, products, and services. Our team understands that there is an incredible community of talented security researchers who want to help further strengthen our security, so we're thrilled to run this HackerOne program in order to help strengthen our security.\n\nIf you think you've found a vulnerability, please submit it to us so we can assess and process it. We look forward to any and all potential vulnerabilities you may find!\n\n______________________________________________________________________________________________________________________\n\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n\n\n**1. Program Eligibility**\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n* Employees, or former employees that separated from the company within the prior 18 months, contingent workers, contractors and their personnel, or consultants of Epic Games or its subsidiaries, as well as persons living in the same household and their immediate family members, are not eligible to receive bounties or rewards of any kind under the Epic Games program.\n\n\n**2. What's allowed/permitted**\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n**3. What's not allowed/not permitted**\n* You may not submit reports from automated scanners and tools\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n**4. Legal**\n\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may result in removal from the program.\n\n\n\n______________________________________________________________________________________________________________________\n\n\n\n\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\nWhat's required\n=============\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n*  ==When testing for findings, you will not flood email forms, public forums, or other publicly consumable content as this will have an adverse affect on user experience==\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n\n\nBounties\n=============\n\nPlease review the table below for examples of severity categories:\n\n|Description|Severity|Potential Bounty|Notes|\n|--|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, and other core infrastructure endpoints|Critical|$15,000||\n|Authentication bypass on Epic Games Store Accounts|Critical|$15,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|Critical|$12,500|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|Critical|$10,000| |\n|Payment process bypass|Critical|$10,000|Complete purchases in-store or in-game without payment|\n|Remote code execution on Epic-owned in-scope assets running vBulletin|Critical|$5,000| |\n|Privilege escalation on in-scope Epic services|High|$7,500|\n\n______________________________________________________________________________________________________________________\nGame Security Severity Guidelines\n=====\n______________________________________________________________________________________________________________________\n\n## Fortnite:\n\n### Critical\n* Being able to enumerate the server IP address of another player in real-time. (Battle Royale)\n* Remote code execution on either the game server or another player’s computer\n\n### High\n* Being able to crash a server that you are not a member of\n* Being able to modify weapon or vehicle characteristics that give you a gameplay advantage in a traditional * non-custom Solo BR match\n\n### Medium\n* Being able to crash a server that you are a member of\n* Being able to crash people in your social party\n* Being able to modify interaction times on reviving players or using medkits\n\n### Low\n* Being able to modify interaction times on looting chests\n\n## Easy Anti-Cheat:\n\n### Critical\n* Remote code execution on either an associated backend server or another player’s computer\n* Remote denial of service by crashing anti-cheat components on another player’s computer\n\n### High\n* Local privilege escalation using the anti-cheat service or driver\n\n### Medium\n* Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory\n* Implementation details of a previously unknown and unique method for preventing anti-cheat detections\n* Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers\n\n______________________________________________________________________________________________________________________\n\nDisclosure Guidelines\n=====\n\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nValid scopes are listed in the Assets section below, which also lists additional information on architecture. We generally follow the OWASP Top 10 Application Security Risks (2017), however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. Eligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n# Datamining Scope\nWhen datamining the approved clients/endpoints only the following findings are accepted:\n* fortnite-public-service-prod11.ol.epicgames.com\n      * Matchmaking data, session information, information disclosure, privilege escalation\n* FortniteClient-Win64-Shipping.exe\n      * Information disclosure, cryptographic weaknesses\n\n\nOut of Scope\n============\n\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Denial of Service / Distributed Denial of Service attacks\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF, DKIM, and DMARC records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets) are not considered in scope\n\n\nAdditional Notes\n============\n\n* Missing or faulty Rate-limit issues will only be considered valid when affecting login or critical account related requests, and these do not include any form of 2FA. In case the 2FA control in place is also vulnerable, the issue will be assessed on a case by case basis.\nA valid PoC will also be required to contain:\n\n      * Proof of at least 1000 accepted requests by the server in a very short time-frame.\n      * Proof of successful login or completion of operation after said 1000+ requests.\n\n* Web Cache Poisoning/Deception issues will only be considered valid when:\n\n     * You’ll be able to prove that exploitation of the issue impacts other users (different IP, browser, etc.)\n     * It's possible to make this attack persistent for multiple targets\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-10-10T15:46:48.092Z"},{"id":3699681,"new_policy":"\nEpic Games recognizes how important strong security is. The Information Security Team at Epic Games is continually working to protect our players, data, products, and services. Our team understands that there is an incredible community of talented security researchers who want to help further strengthen our security, so we're thrilled to run this HackerOne program in order to help strengthen our security.\n\nIf you think you've found a vulnerability, please submit it to us so we can assess and process it. We look forward to any and all potential vulnerabilities you may find!\n\n______________________________________________________________________________________________________________________\n\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n\n\n**1. Program Eligibility**\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n* Employees, or former employees that separated from the company within the prior 18 months, contingent workers, contractors and their personnel, or consultants of Epic Games or its subsidiaries, as well as persons living in the same household and their immediate family members, are not eligible to receive bounties or rewards of any kind under the Epic Games program.\n\n\n**2. What's allowed/permitted**\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n**3. What's not allowed/not permitted**\n* You may not submit reports from automated scanners and tools\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n**4. Legal**\n\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may result in removal from the program.\n\n\n\n______________________________________________________________________________________________________________________\n\n\n\n\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\nWhat's required\n=============\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n*  ==When testing for findings, you will not flood email forms, public forums, or other publicly consumable content as this will have an adverse affect on user experience==\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n\n\nBounties\n=============\n\nPlease review the table below for examples of severity categories:\n\n|Description|Severity|Potential Bounty|Notes|\n|--|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, and other core infrastructure endpoints|Critical|$15,000||\n|Authentication bypass on Epic Games Store Accounts|Critical|$15,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|Critical|$12,500|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|Critical|$10,000| |\n|Payment process bypass|Critical|$10,000|Complete purchases in-store or in-game without payment|\n|Remote code execution on Epic-owned in-scope assets running vBulletin|Critical|$5,000| |\n|Privilege escalation on in-scope Epic services|High|$7,500|\n\n______________________________________________________________________________________________________________________\nGame Security Severity Guidelines\n=====\n______________________________________________________________________________________________________________________\n\n## Fortnite:\n\n### Critical\n* Being able to enumerate the server IP address of another player in real-time. (Battle Royale)\n* Being able to crash a server that you are not a member of\n* Remote code execution on either the game server or another player’s computer\n\n### High\n* Being able to crash a server that you are a member of\n* Being able to modify weapon or vehicle characteristics that give you a gameplay advantage in a traditional * non-custom Solo BR match\n\n### Medium\n* Being able to crash people in your social party\n* Being able to modify interaction times on reviving players or using medkits\n\n### Low\n* Being able to modify interaction times on looting chests\n\n## Easy Anti-Cheat:\n\n### Critical\n* Remote code execution on either an associated backend server or another player’s computer\n* Remote denial of service by crashing anti-cheat components on another player’s computer\n\n### High\n* Local privilege escalation using the anti-cheat service or driver\n\n### Medium\n* Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory\n* Implementation details of a previously unknown and unique method for preventing anti-cheat detections\n* Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers\n\n______________________________________________________________________________________________________________________\n\nDisclosure Guidelines\n=====\n\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nValid scopes are listed in the Assets section below, which also lists additional information on architecture. We generally follow the OWASP Top 10 Application Security Risks (2017), however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. Eligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n# Datamining Scope\nWhen datamining the approved clients/endpoints only the following findings are accepted:\n* fortnite-public-service-prod11.ol.epicgames.com\n      * Matchmaking data, session information, information disclosure, privilege escalation\n* FortniteClient-Win64-Shipping.exe\n      * Information disclosure, cryptographic weaknesses\n\n\nOut of Scope\n============\n\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Denial of Service / Distributed Denial of Service attacks\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF, DKIM, and DMARC records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets) are not considered in scope\n\n\nAdditional Notes\n============\n\n* Missing or faulty Rate-limit issues will only be considered valid when affecting login or critical account related requests, and these do not include any form of 2FA. In case the 2FA control in place is also vulnerable, the issue will be assessed on a case by case basis.\nA valid PoC will also be required to contain:\n\n      * Proof of at least 1000 accepted requests by the server in a very short time-frame.\n      * Proof of successful login or completion of operation after said 1000+ requests.\n\n* Web Cache Poisoning/Deception issues will only be considered valid when:\n\n     * You’ll be able to prove that exploitation of the issue impacts other users (different IP, browser, etc.)\n     * It's possible to make this attack persistent for multiple targets\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-09T09:17:35.690Z"},{"id":3690144,"new_policy":"Hi Everyone!\n\nPlease be advised that from ***July 3rd - July 17th*** Epic Games will be on a company-wide summer break. While we will be keeping an eye on our bug bounty program response times may be slower than usual.\nResponse times will return to normal after this two-week break.\nAs always, thank you all for your hard work and dedication to our program!\n\nEpic Games Security Team\n\n===========\n\nEpic Games recognizes how important strong security is. The Information Security Team at Epic Games is continually working to protect our players, data, products, and services. Our team understands that there is an incredible community of talented security researchers who want to help further strengthen our security, so we're thrilled to run this HackerOne program in order to help strengthen our security.\n\nIf you think you've found a vulnerability, please submit it to us so we can assess and process it. We look forward to any and all potential vulnerabilities you may find!\n\n______________________________________________________________________________________________________________________\n\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n\n\n**1. Program Eligibility**\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n* Employees, or former employees that separated from the company within the prior 18 months, contingent workers, contractors and their personnel, or consultants of Epic Games or its subsidiaries, as well as persons living in the same household and their immediate family members, are not eligible to receive bounties or rewards of any kind under the Epic Games program.\n\n\n**2. What's allowed/permitted**\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n**3. What's not allowed/not permitted**\n* You may not submit reports from automated scanners and tools\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n**4. Legal**\n\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may result in removal from the program.\n\n\n\n______________________________________________________________________________________________________________________\n\n\n\n\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\nWhat's required\n=============\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n*  ==When testing for findings, you will not flood email forms, public forums, or other publicly consumable content as this will have an adverse affect on user experience==\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n\n\nBounties\n=============\n\nPlease review the table below for examples of severity categories:\n\n|Description|Severity|Potential Bounty|Notes|\n|--|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, and other core infrastructure endpoints|Critical|$15,000||\n|Authentication bypass on Epic Games Store Accounts|Critical|$15,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|Critical|$12,500|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|Critical|$10,000| |\n|Payment process bypass|Critical|$10,000|Complete purchases in-store or in-game without payment|\n|Remote code execution on Epic-owned in-scope assets running vBulletin|Critical|$5,000| |\n|Privilege escalation on in-scope Epic services|High|$7,500|\n\n______________________________________________________________________________________________________________________\nGame Security Severity Guidelines\n=====\n______________________________________________________________________________________________________________________\n\n## Fortnite:\n\n### Critical\n* Being able to enumerate the server IP address of another player in real-time. (Battle Royale)\n* Being able to crash a server that you are not a member of\n* Remote code execution on either the game server or another player’s computer\n\n### High\n* Being able to crash a server that you are a member of\n* Being able to modify weapon or vehicle characteristics that give you a gameplay advantage in a traditional * non-custom Solo BR match\n\n### Medium\n* Being able to crash people in your social party\n* Being able to modify interaction times on reviving players or using medkits\n\n### Low\n* Being able to modify interaction times on looting chests\n\n## Easy Anti-Cheat:\n\n### Critical\n* Remote code execution on either an associated backend server or another player’s computer\n* Remote denial of service by crashing anti-cheat components on another player’s computer\n\n### High\n* Local privilege escalation using the anti-cheat service or driver\n\n### Medium\n* Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory\n* Implementation details of a previously unknown and unique method for preventing anti-cheat detections\n* Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers\n\n______________________________________________________________________________________________________________________\n\nDisclosure Guidelines\n=====\n\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nValid scopes are listed in the Assets section below, which also lists additional information on architecture. We generally follow the OWASP Top 10 Application Security Risks (2017), however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. Eligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n# Datamining Scope\nWhen datamining the approved clients/endpoints only the following findings are accepted:\n* fortnite-public-service-prod11.ol.epicgames.com\n      * Matchmaking data, session information, information disclosure, privilege escalation\n* FortniteClient-Win64-Shipping.exe\n      * Information disclosure, cryptographic weaknesses\n\n\nOut of Scope\n============\n\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Denial of Service / Distributed Denial of Service attacks\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF, DKIM, and DMARC records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets) are not considered in scope\n\n\nAdditional Notes\n============\n\n* Missing or faulty Rate-limit issues will only be considered valid when affecting login or critical account related requests, and these do not include any form of 2FA. In case the 2FA control in place is also vulnerable, the issue will be assessed on a case by case basis.\nA valid PoC will also be required to contain:\n\n      * Proof of at least 1000 accepted requests by the server in a very short time-frame.\n      * Proof of successful login or completion of operation after said 1000+ requests.\n\n* Web Cache Poisoning/Deception issues will only be considered valid when:\n\n     * You’ll be able to prove that exploitation of the issue impacts other users (different IP, browser, etc.)\n     * It's possible to make this attack persistent for multiple targets\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-06-29T14:51:21.278Z"},{"id":3683841,"new_policy":"Epic Games recognizes how important strong security is. The Information Security Team at Epic Games is continually working to protect our players, data, products, and services. Our team understands that there is an incredible community of talented security researchers who want to help further strengthen our security, so we're thrilled to run this HackerOne program in order to help strengthen our security.\n\nIf you think you've found a vulnerability, please submit it to us so we can assess and process it. We look forward to any and all potential vulnerabilities you may find!\n\n______________________________________________________________________________________________________________________\n\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n\n\n**1. Program Eligibility**\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n* Employees, or former employees that separated from the company within the prior 18 months, contingent workers, contractors and their personnel, or consultants of Epic Games or its subsidiaries, as well as persons living in the same household and their immediate family members, are not eligible to receive bounties or rewards of any kind under the Epic Games program.\n\n\n**2. What's allowed/permitted**\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n**3. What's not allowed/not permitted**\n* You may not submit reports from automated scanners and tools\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n**4. Legal**\n\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may result in removal from the program.\n\n\n\n______________________________________________________________________________________________________________________\n\n\n\n\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\nWhat's required\n=============\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n*  ==When testing for findings, you will not flood email forms, public forums, or other publicly consumable content as this will have an adverse affect on user experience==\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n\n\nBounties\n=============\n\nPlease review the table below for examples of severity categories:\n\n|Description|Severity|Potential Bounty|Notes|\n|--|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, and other core infrastructure endpoints|Critical|$15,000||\n|Authentication bypass on Epic Games Store Accounts|Critical|$15,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|Critical|$12,500|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|Critical|$10,000| |\n|Payment process bypass|Critical|$10,000|Complete purchases in-store or in-game without payment|\n|Remote code execution on Epic-owned in-scope assets running vBulletin|Critical|$5,000| |\n|Privilege escalation on in-scope Epic services|High|$7,500|\n\n______________________________________________________________________________________________________________________\nGame Security Severity Guidelines\n=====\n______________________________________________________________________________________________________________________\n\n## Fortnite:\n\n### Critical\n* Being able to enumerate the server IP address of another player in real-time. (Battle Royale)\n* Being able to crash a server that you are not a member of\n* Remote code execution on either the game server or another player’s computer\n\n### High\n* Being able to crash a server that you are a member of\n* Being able to modify weapon or vehicle characteristics that give you a gameplay advantage in a traditional * non-custom Solo BR match\n\n### Medium\n* Being able to crash people in your social party\n* Being able to modify interaction times on reviving players or using medkits\n\n### Low\n* Being able to modify interaction times on looting chests\n\n## Easy Anti-Cheat:\n\n### Critical\n* Remote code execution on either an associated backend server or another player’s computer\n* Remote denial of service by crashing anti-cheat components on another player’s computer\n\n### High\n* Local privilege escalation using the anti-cheat service or driver\n\n### Medium\n* Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory\n* Implementation details of a previously unknown and unique method for preventing anti-cheat detections\n* Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers\n\n______________________________________________________________________________________________________________________\n\nDisclosure Guidelines\n=====\n\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nValid scopes are listed in the Assets section below, which also lists additional information on architecture. We generally follow the OWASP Top 10 Application Security Risks (2017), however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. Eligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n# Datamining Scope\nWhen datamining the approved clients/endpoints only the following findings are accepted:\n* fortnite-public-service-prod11.ol.epicgames.com\n      * Matchmaking data, session information, information disclosure, privilege escalation\n* FortniteClient-Win64-Shipping.exe\n      * Information disclosure, cryptographic weaknesses\n\n\nOut of Scope\n============\n\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Denial of Service / Distributed Denial of Service attacks\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF, DKIM, and DMARC records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets) are not considered in scope\n\n\nAdditional Notes\n============\n\n* Missing or faulty Rate-limit issues will only be considered valid when affecting login or critical account related requests, and these do not include any form of 2FA. In case the 2FA control in place is also vulnerable, the issue will be assessed on a case by case basis.\nA valid PoC will also be required to contain:\n\n      * Proof of at least 1000 accepted requests by the server in a very short time-frame.\n      * Proof of successful login or completion of operation after said 1000+ requests.\n\n* Web Cache Poisoning/Deception issues will only be considered valid when:\n\n     * You’ll be able to prove that exploitation of the issue impacts other users (different IP, browser, etc.)\n     * It's possible to make this attack persistent for multiple targets\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-02-20T15:02:38.122Z"},{"id":3671129,"new_policy":"Epic Games recognizes how important strong security is. The Information Security Team at Epic Games is continually working to protect our players, data, products, and services. Our team understands that there is an incredible community of talented security researchers who want to help further strengthen our security, so we're thrilled to run this HackerOne program in order to help strengthen our security.\n\nIf you think you've found a vulnerability, please submit it to us so we can assess and process it. We look forward to any and all potential vulnerabilities you may find!\n\n______________________________________________________________________________________________________________________\n\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n\n\n**1. Program Eligibility**\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n* Employees, or former employees that separated from the company within the prior 18 months, contingent workers, contractors and their personnel, or consultants of Epic Games or its subsidiaries, as well as persons living in the same household and their immediate family members, are not eligible to receive bounties or rewards of any kind under the Epic Games program.\n\n\n**2. What's allowed/permitted**\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n**3. What's not allowed/not permitted**\n* You may not submit reports from automated scanners and tools\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n**4. Legal**\n\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may result in removal from the program.\n\n\n\n______________________________________________________________________________________________________________________\n\n\n\n\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\nWhat's required\n=============\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n*  ==When testing for findings, you will not flood email forms, public forums, or other publicly consumable content as this will have an adverse affect on user experience==\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n\n\nBounties\n=============\n\nPlease review the table below for examples of severity categories:\n\n|Description|Severity|Potential Bounty|Notes|\n|--|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, and other core infrastructure endpoints|Critical|$15,000||\n|Authentication bypass on Epic Games Store Accounts|Critical|$15,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|Critical|$12,500|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|Critical|$10,000| |\n|Payment process bypass|Critical|$10,000|Complete purchases in-store or in-game without payment|\n|Remote code execution on Epic-owned in-scope assets running vBulletin|Critical|$5,000| |\n|Privilege escalation on in-scope Epic services|High|$7,500|\n\n______________________________________________________________________________________________________________________\nGame Security Severity Guidelines\n=====\n______________________________________________________________________________________________________________________\n\n## Fortnite:\n\n### Critical\n* Being able to enumerate the server IP address of another player in real-time. (Battle Royale)\n* Being able to crash a server that you are not a member of\n* Remote code execution on either the game server or another player’s computer\n\n### High\n* Being able to crash a server that you are a member of\n* Being able to modify weapon or vehicle characteristics that give you a gameplay advantage in a traditional * non-custom Solo BR match\n\n### Medium\n* Being able to crash people in your social party\n* Being able to modify interaction times on reviving players or using medkits\n\n### Low\n* Being able to modify interaction times on looting chests\n\n## Easy Anti-Cheat:\n\n### Critical\n* Remote code execution on either an associated backend server or another player’s computer\n* Remote denial of service by crashing anti-cheat components on another player’s computer\n\n### High\n* Local privilege escalation using the anti-cheat service or driver\n\n### Medium\n* Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory\n* Implementation details of a previously unknown and unique method for preventing anti-cheat detections\n* Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers\n\n______________________________________________________________________________________________________________________\n\nDisclosure Guidelines\n=====\n\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nValid scopes are listed in the Assets section below, which also lists additional information on architecture. We generally follow the OWASP Top 10 Application Security Risks (2017), however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. Eligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n# Datamining Scope\nWhen datamining the approved clients/endpoints only the following findings are accepted:\n* fortnite-public-service-prod11.ol.epicgames.com\n      * Matchmaking data, session information, information disclosure, privilege escalation\n* FortniteClient-Win64-Shipping.exe\n      * Information disclosure, cryptographic weaknesses\n\n\nOut of Scope\n============\n\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Denial of Service / Distributed Denial of Service attacks\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF, DKIM, and DMARC records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets) are not considered in scope\n\n\nAdditional Notes\n============\n\n* Missing or faulty Rate-limit issues will only be considered valid when affecting login or critical account related requests, and these do not include any form of 2FA. In case the 2FA control in place is also vulnerable, the issue will be assessed on a case by case basis.\nA valid PoC will also be required to contain:\n\n      * Proof of at least 1000 accepted requests by the server in a very short time-frame.\n      * Proof of successful login or completion of operation after said 1000+ requests.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-05-11T15:03:29.069Z"},{"id":3668682,"new_policy":"Epic Games recognizes how important strong security is. The Information Security Team at Epic Games is continually working to protect our players, data, products, and services. Our team understands that there is an incredible community of talented security researchers who want to help further strengthen our security, so we're thrilled to run this HackerOne program in order to help strengthen our security.\n\nIf you think you've found a vulnerability, please submit it to us so we can assess and process it. We look forward to any and all potential vulnerabilities you may find!\n\n______________________________________________________________________________________________________________________\n\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n\n\n**1. Program Eligibility**\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n* Employees, or former employees that separated from the company within the prior 18 months, contingent workers, contractors and their personnel, or consultants of Epic Games or its subsidiaries, as well as persons living in the same household and their immediate family members, are not eligible to receive bounties or rewards of any kind under the Epic Games program.\n\n\n**2. What's allowed/permitted**\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n**3. What's not allowed/not permitted**\n* You may not submit reports from automated scanners and tools\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n**4. Legal**\n\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne response program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may result in removal from the program.\n\n\n\n______________________________________________________________________________________________________________________\n\n\n\n\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\nWhat's required\n=============\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n*  ==When testing for findings, you will not flood email forms, public forums, or other publicly consumable content as this will have an adverse affect on user experience==\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n\n\nBounties\n=============\n\nPlease review the table below for examples of severity categories:\n\n|Description|Severity|Potential Bounty|Notes|\n|--|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, and other core infrastructure endpoints|Critical|$15,000||\n|Authentication bypass on Epic Games Store Accounts|Critical|$15,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|Critical|$12,500|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|Critical|$10,000| |\n|Payment process bypass|Critical|$10,000|Complete purchases in-store or in-game without payment|\n|Remote code execution on Epic-owned in-scope assets running vBulletin|Critical|$5,000| |\n|Privilege escalation on in-scope Epic services|High|$7,500|\n\n______________________________________________________________________________________________________________________\nGame Security Severity Guidelines\n=====\n______________________________________________________________________________________________________________________\n\n## Fortnite:\n\n### Critical\n* Being able to enumerate the server IP address of another player in real-time. (Battle Royale)\n* Being able to crash a server that you are not a member of\n* Remote code execution on either the game server or another player’s computer\n\n### High\n* Being able to crash a server that you are a member of\n* Being able to modify weapon or vehicle characteristics that give you a gameplay advantage in a traditional * non-custom Solo BR match\n\n### Medium\n* Being able to crash people in your social party\n* Being able to modify interaction times on reviving players or using medkits\n\n### Low\n* Being able to modify interaction times on looting chests\n\n## Easy Anti-Cheat:\n\n### Critical\n* Remote code execution on either an associated backend server or another player’s computer\n* Remote denial of service by crashing anti-cheat components on another player’s computer\n\n### High\n* Local privilege escalation using the anti-cheat service or driver\n\n### Medium\n* Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory\n* Implementation details of a previously unknown and unique method for preventing anti-cheat detections\n* Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers\n\n______________________________________________________________________________________________________________________\n\nDisclosure Guidelines\n=====\n\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nValid scopes are listed in the Assets section below, which also lists additional information on architecture. We generally follow the OWASP Top 10 Application Security Risks (2017), however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. Eligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n# Datamining Scope\nWhen datamining the approved clients/endpoints only the following findings are accepted:\n* fortnite-public-service-prod11.ol.epicgames.com\n      * Matchmaking data, session information, information disclosure, privilege escalation\n* FortniteClient-Win64-Shipping.exe\n      * Information disclosure, cryptographic weaknesses\n\n\nOut of Scope\n============\n\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Denial of Service / Distributed Denial of Service attacks\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF, DKIM, and DMARC records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets) are not considered in scope\n\n\nAdditional Notes\n============\n\n* Missing or faulty Rate-limit issues will only be considered valid when affecting login or critical account related requests, and these do not include any form of 2FA. In case the 2FA control in place is also vulnerable, the issue will be assessed on a case by case basis.\nA valid PoC will also be required to contain:\n\n      * Proof of at least 1000 accepted requests by the server in a very short time-frame.\n      * Proof of successful login or completion of operation after said 1000+ requests.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-03-30T15:54:00.740Z"},{"id":3666348,"new_policy":"Epic Games recognizes how important strong security is. The Information Security Team at Epic Games is continually working to protect our players, data, products, and services. Our team understands that there is an incredible community of talented security researchers who want to help further strengthen our security, so we're thrilled to run this HackerOne program in order to help strengthen our security.\n\nIf you think you've found a vulnerability, please submit it to us so we can assess and process it. We look forward to any and all potential vulnerabilities you may find!\n\n______________________________________________________________________________________________________________________\n\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n\n\n**1. Program Eligibility**\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n* Employees, or former employees that separated from the company within the prior 18 months, contingent workers, contractors and their personnel, or consultants of Epic Games or its subsidiaries, as well as persons living in the same household and their immediate family members, are not eligible to receive bounties or rewards of any kind under the Epic Games program.\n\n\n**2. What's allowed/permitted**\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n**3. What's not allowed/not permitted**\n* You may not submit reports from automated scanners and tools\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n**4. Legal**\n\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne response program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may result in removal from the program.\n\n\n\n______________________________________________________________________________________________________________________\n\n\n\n\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\nWhat's required\n=============\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n*  ==Once a finding is verified, you will not spam email forms, public forums, or other publicly consumable content as this will have an adverse affect on user experience==\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n\n\nBounties\n=============\n\nPlease review the table below for examples of severity categories:\n\n|Description|Severity|Potential Bounty|Notes|\n|--|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, and other core infrastructure endpoints|Critical|$15,000||\n|Authentication bypass on Epic Games Store Accounts|Critical|$15,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|Critical|$12,500|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|Critical|$10,000| |\n|Payment process bypass|Critical|$10,000|Complete purchases in-store or in-game without payment|\n|Remote code execution on Epic-owned in-scope assets running vBulletin|Critical|$5,000| |\n|Privilege escalation on in-scope Epic services|High|$7,500|\n\n______________________________________________________________________________________________________________________\nGame Security Severity Guidelines\n=====\n______________________________________________________________________________________________________________________\n\n## Fortnite:\n\n### Critical\n* Being able to enumerate the server IP address of another player in real-time. (Battle Royale)\n* Being able to crash a server that you are not a member of\n* Remote code execution on either the game server or another player’s computer\n\n### High\n* Being able to crash a server that you are a member of\n* Being able to modify weapon or vehicle characteristics that give you a gameplay advantage in a traditional * non-custom Solo BR match\n\n### Medium\n* Being able to crash people in your social party\n* Being able to modify interaction times on reviving players or using medkits\n\n### Low\n* Being able to modify interaction times on looting chests\n\n## Easy Anti-Cheat:\n\n### Critical\n* Remote code execution on either an associated backend server or another player’s computer\n* Remote denial of service by crashing anti-cheat components on another player’s computer\n\n### High\n* Local privilege escalation using the anti-cheat service or driver\n\n### Medium\n* Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory\n* Implementation details of a previously unknown and unique method for preventing anti-cheat detections\n* Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers\n\n______________________________________________________________________________________________________________________\n\nDisclosure Guidelines\n=====\n\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nValid scopes are listed in the Assets section below, which also lists additional information on architecture. We generally follow the OWASP Top 10 Application Security Risks (2017), however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. Eligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n# Datamining Scope\nWhen datamining the approved clients/endpoints only the following findings are accepted:\n* fortnite-public-service-prod11.ol.epicgames.com\n      * Matchmaking data, session information, information disclosure, privilege escalation\n* FortniteClient-Win64-Shipping.exe\n      * Information disclosure, cryptographic weaknesses\n\n\nOut of Scope\n============\n\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Denial of Service / Distributed Denial of Service attacks\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF, DKIM, and DMARC records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets) are not considered in scope\n\n\nAdditional Notes\n============\n\n* Missing or faulty Rate-limit issues will only be considered valid when affecting login or critical account related requests, and these do not include any form of 2FA. In case the 2FA control in place is also vulnerable, the issue will be assessed on a case by case basis.\nA valid PoC will also be required to contain:\n\n      * Proof of at least 1000 accepted requests by the server in a very short time-frame.\n      * Proof of successful login or completion of operation after said 1000+ requests.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-10T16:15:21.033Z"},{"id":3665709,"new_policy":"Epic Games recognizes how important strong security is. The Information Security Team at Epic Games is continually working to protect our players, data, products, and services. Our team understands that there is an incredible community of talented security researchers who want to help further strengthen our security, so we're thrilled to run this HackerOne program in order to help strengthen our security.\n\nIf you think you've found a vulnerability, please submit it to us so we can assess and process it. We look forward to any and all potential vulnerabilities you may find!\n\n______________________________________________________________________________________________________________________\n\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n\n\n**1. Program Eligibility**\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n* Employees, or former employees that separated from the company within the prior 18 months, contingent workers, contractors and their personnel, or consultants of Epic Games or its subsidiaries, as well as persons living in the same household and their immediate family members, are not eligible to receive bounties or rewards of any kind under the Epic Games program.\n\n\n**2. What's allowed/permitted**\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n**3. What's not allowed/not permitted**\n* You may not submit reports from automated scanners and tools\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n**4. Legal**\n\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne response program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may result in removal from the program.\n\n\n\n______________________________________________________________________________________________________________________\n\n\n\n\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\nWhat's required\n=============\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n*  ==Once a finding is verified, you will not spam email forms, public forums, or other publicly consumable content as this will have an adverse affect on user experience==\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n\n\nBounties\n=============\n\nPlease review the table below for examples of severity categories:\n\n|Description|Severity|Potential Bounty|Notes|\n|--|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, and other core infrastructure endpoints|Critical|$15,000||\n|Authentication bypass on Epic Games Store Accounts|Critical|$15,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|Critical|$12,500|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|Critical|$10,000| |\n|Payment process bypass|Critical|$10,000|Complete purchases in-store or in-game without payment|\n|Remote code execution on Epic-owned in-scope assets running vBulletin|Critical|$5,000| |\n|Privilege escalation on in-scope Epic services|High|$7,500|\n\n______________________________________________________________________________________________________________________\nGame Security Severity Guidelines\n=====\n______________________________________________________________________________________________________________________\n\n## Fortnite:\n\n### Critical\n* Being able to enumerate the server IP address of another player in real-time. (Battle Royale)\n* Being able to crash a server that you are not a member of\n* Remote code execution on either the game server or another player’s computer\n\n### High\n* Being able to crash a server that you are a member of\n* Being able to modify weapon or vehicle characteristics that give you a gameplay advantage in a traditional * non-custom Solo BR match\n\n### Medium\n* Being able to crash people in your social party\n* Being able to modify interaction times on reviving players or using medkits\n\n### Low\n* Being able to modify interaction times on looting chests\n\n## Easy Anti-Cheat:\n\n### Critical\n* Remote code execution on either an associated backend server or another player’s computer\n* Remote denial of service by crashing anti-cheat components on another player’s computer\n\n### High\n* Local privilege escalation using the anti-cheat service or driver\n\n### Medium\n* Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory\n* Implementation details of a previously unknown and unique method for preventing anti-cheat detections\n* Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers\n\n______________________________________________________________________________________________________________________\n\nDisclosure Guidelines\n=====\n\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nValid scopes are listed in the Assets section below, which also lists additional information on architecture. We generally follow the OWASP Top 10 Application Security Risks (2017), however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. Eligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n# Datamining Scope\nWhen datamining the approved clients/endpoints only the following findings are accepted:\n* fortnite-public-service-prod11.ol.epicgames.com\n      * Matchmaking data, session information, information disclosure, privilege escalation\n* FortniteClient-Win64-Shipping.exe\n      * Information disclosure, cryptographic weaknesses\n\n\nOut of Scope\n============\n\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Denial of Service / Distributed Denial of Service attacks\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF, DKIM, and DMARC records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets) are not considered in scope\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-01T21:06:37.571Z"},{"id":3665689,"new_policy":"Epic Games recognizes how important strong security is. The Information Security Team at Epic Games is continually working to protect our players, data, products, and services. Our team understands that there is an incredible community of talented security researchers who want to help further strengthen our security, so we're thrilled to run this HackerOne program in order to help strengthen our security.\n\nIf you think you've found a vulnerability, please submit it to us so we can assess and process it. We look forward to any and all potential vulnerabilities you may find!\n\n______________________________________________________________________________________________________________________\n\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n\n\n**1. Program Eligibility**\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n\n\n**2. What's allowed/permitted**\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n**3. What's not allowed/not permitted**\n* You may not submit reports from automated scanners and tools\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n**4. Legal**\n\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne response program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may result in removal from the program.\n\n\n\n______________________________________________________________________________________________________________________\n\n\n\n\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\nWhat's required\n=============\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n*  ==Once a finding is verified, you will not spam email forms, public forums, or other publicly consumable content as this will have an adverse affect on user experience==\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n\n\nBounties\n=============\n\nPlease review the table below for examples of severity categories:\n\n|Description|Severity|Potential Bounty|Notes|\n|--|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, and other core infrastructure endpoints|Critical|$15,000||\n|Authentication bypass on Epic Games Store Accounts|Critical|$15,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|Critical|$12,500|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|Critical|$10,000| |\n|Payment process bypass|Critical|$10,000|Complete purchases in-store or in-game without payment|\n|Remote code execution on Epic-owned in-scope assets running vBulletin|Critical|$5,000| |\n|Privilege escalation on in-scope Epic services|High|$7,500|\n\n______________________________________________________________________________________________________________________\nGame Security Severity Guidelines\n=====\n______________________________________________________________________________________________________________________\n\n## Fortnite:\n\n### Critical\n* Being able to enumerate the server IP address of another player in real-time. (Battle Royale)\n* Being able to crash a server that you are not a member of\n* Remote code execution on either the game server or another player’s computer\n\n### High\n* Being able to crash a server that you are a member of\n* Being able to modify weapon or vehicle characteristics that give you a gameplay advantage in a traditional * non-custom Solo BR match\n\n### Medium\n* Being able to crash people in your social party\n* Being able to modify interaction times on reviving players or using medkits\n\n### Low\n* Being able to modify interaction times on looting chests\n\n## Easy Anti-Cheat:\n\n### Critical\n* Remote code execution on either an associated backend server or another player’s computer\n* Remote denial of service by crashing anti-cheat components on another player’s computer\n\n### High\n* Local privilege escalation using the anti-cheat service or driver\n\n### Medium\n* Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory\n* Implementation details of a previously unknown and unique method for preventing anti-cheat detections\n* Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers\n\n______________________________________________________________________________________________________________________\n\nDisclosure Guidelines\n=====\n\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nValid scopes are listed in the Assets section below, which also lists additional information on architecture. We generally follow the OWASP Top 10 Application Security Risks (2017), however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. Eligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n# Datamining Scope\nWhen datamining the approved clients/endpoints only the following findings are accepted:\n* fortnite-public-service-prod11.ol.epicgames.com\n      * Matchmaking data, session information, information disclosure, privilege escalation\n* FortniteClient-Win64-Shipping.exe\n      * Information disclosure, cryptographic weaknesses\n\n\nOut of Scope\n============\n\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Denial of Service / Distributed Denial of Service attacks\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF, DKIM, and DMARC records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets) are not considered in scope\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-01T15:30:52.902Z"},{"id":3664579,"new_policy":"Epic Games recognizes how important strong security is. The Information Security Team at Epic Games is continually working to protect our players, data, products, and services. Our team understands that there is an incredible community of talented security researchers who want to help further strengthen our security, so we're thrilled to run this HackerOne program in order to help strengthen our security.\n\nIf you think you've found a vulnerability, please submit it to us so we can assess and process it. We look forward to any and all potential vulnerabilities you may find!\n\n______________________________________________________________________________________________________________________\n\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n\n\n**1. Program Eligibility**\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n\n\n**2. What's allowed/permitted**\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n**3. What's not allowed/not permitted**\n* You may not submit reports from automated scanners and tools\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n**4. Legal**\n\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne response program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may result in removal from the program.\n\n\n\n______________________________________________________________________________________________________________________\n\n\n\n\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\nWhat's required\n=============\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* Any content obtained during the POC of a finding must be deleted from systems within your control upon notice of your finding being rejected or validated by Epic. \n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n\n\nBounties\n=============\n\nPlease review the table below for examples of severity categories:\n\n|Description|Severity|Potential Bounty|Notes|\n|--|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, and other core infrastructure endpoints|Critical|$15,000||\n|Authentication bypass on Epic Games Store Accounts|Critical|$15,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|Critical|$12,500|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|Critical|$10,000| |\n|Payment process bypass|Critical|$10,000|Complete purchases in-store or in-game without payment|\n|Remote code execution on Epic-owned in-scope assets running vBulletin|Critical|$5,000| |\n|Privilege escalation on in-scope Epic services|High|$7,500|\n\n______________________________________________________________________________________________________________________\nGame Security Severity Guidelines\n=====\n______________________________________________________________________________________________________________________\n\n## Fortnite:\n\n### Critical\n* Being able to enumerate the server IP address of another player in real-time. (Battle Royale)\n* Being able to crash a server that you are not a member of\n* Remote code execution on either the game server or another player’s computer\n\n### High\n* Being able to crash a server that you are a member of\n* Being able to modify weapon or vehicle characteristics that give you a gameplay advantage in a traditional * non-custom Solo BR match\n\n### Medium\n* Being able to crash people in your social party\n* Being able to modify interaction times on reviving players or using medkits\n\n### Low\n* Being able to modify interaction times on looting chests\n\n## Easy Anti-Cheat:\n\n### Critical\n* Remote code execution on either an associated backend server or another player’s computer\n* Remote denial of service by crashing anti-cheat components on another player’s computer\n\n### High\n* Local privilege escalation using the anti-cheat service or driver\n\n### Medium\n* Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory\n* Implementation details of a previously unknown and unique method for preventing anti-cheat detections\n* Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers\n\n______________________________________________________________________________________________________________________\n\nDisclosure Guidelines\n=====\n\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nValid scopes are listed in the Assets section below, which also lists additional information on architecture. We generally follow the OWASP Top 10 Application Security Risks (2017), however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. Eligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n# Datamining Scope\nWhen datamining the approved clients/endpoints only the following findings are accepted:\n* fortnite-public-service-prod11.ol.epicgames.com\n      * Matchmaking data, session information, information disclosure, privilege escalation\n* FortniteClient-Win64-Shipping.exe\n      * Information disclosure, cryptographic weaknesses\n\n\nOut of Scope\n============\n\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Denial of Service / Distributed Denial of Service attacks\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets) are not considered in scope\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-01-19T21:36:15.759Z"},{"id":3664308,"new_policy":"Epic Games recognizes how important strong security is. The Information Security Team at Epic Games is continually working to protect our players, data, products, and services. Our team understands that there is an incredible community of talented security researchers who want to help further strengthen our security, so we're thrilled to run this HackerOne program in order to help strengthen our security.\n\nIf you think you've found a vulnerability, please submit it to us so we can assess and process it. We look forward to any and all potential vulnerabilities you may find!\n\n______________________________________________________________________________________________________________________\n\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n\n\n**1. Program Eligibility**\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n\n\n**2. What's allowed/permitted**\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n**3. What's not allowed/not permitted**\n* You may not submit reports from automated scanners and tools\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n**4. Legal**\n\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne response program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may result in removal from the program.\n\n\n\n______________________________________________________________________________________________________________________\n\n\n\n\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\nWhat's required\n=============\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own. Where possible delete any comments/posts after confirmation of findings as to not pollute pages. \n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n\n\nBounties\n=============\n\nPlease review the table below for examples of severity categories:\n\n|Description|Severity|Potential Bounty|Notes|\n|--|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, and other core infrastructure endpoints|Critical|$15,000||\n|Authentication bypass on Epic Games Store Accounts|Critical|$15,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|Critical|$12,500|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|Critical|$10,000| |\n|Payment process bypass|Critical|$10,000|Complete purchases in-store or in-game without payment|\n|Remote code execution on Epic-owned in-scope assets running vBulletin|Critical|$5,000| |\n|Privilege escalation on in-scope Epic services|High|$7,500|\n\n______________________________________________________________________________________________________________________\nGame Security Severity Guidelines\n=====\n______________________________________________________________________________________________________________________\n\n## Fortnite:\n\n### Critical\n* Being able to enumerate the server IP address of another player in real-time. (Battle Royale)\n* Being able to crash a server that you are not a member of\n* Remote code execution on either the game server or another player’s computer\n\n### High\n* Being able to crash a server that you are a member of\n* Being able to modify weapon or vehicle characteristics that give you a gameplay advantage in a traditional * non-custom Solo BR match\n\n### Medium\n* Being able to crash people in your social party\n* Being able to modify interaction times on reviving players or using medkits\n\n### Low\n* Being able to modify interaction times on looting chests\n\n## Easy Anti-Cheat:\n\n### Critical\n* Remote code execution on either an associated backend server or another player’s computer\n* Remote denial of service by crashing anti-cheat components on another player’s computer\n\n### High\n* Local privilege escalation using the anti-cheat service or driver\n\n### Medium\n* Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory\n* Implementation details of a previously unknown and unique method for preventing anti-cheat detections\n* Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers\n\n______________________________________________________________________________________________________________________\n\nDisclosure Guidelines\n=====\n\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nValid scopes are listed in the Assets section below, which also lists additional information on architecture. We generally follow the OWASP Top 10 Application Security Risks (2017), however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. Eligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n# Datamining Scope\nWhen datamining the approved clients/endpoints only the following findings are accepted:\n* fortnite-public-service-prod11.ol.epicgames.com\n      * Matchmaking data, session information, information disclosure, privilege escalation\n* FortniteClient-Win64-Shipping.exe\n      * Information disclosure, cryptographic weaknesses\n\n\nOut of Scope\n============\n\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Denial of Service / Distributed Denial of Service attacks\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets) are not considered in scope\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-01-14T23:21:20.465Z"},{"id":3664307,"new_policy":"Epic Games recognizes how important strong security is. The Information Security Team at Epic Games is continually working to protect our players, data, products, and services. Our team understands that there is an incredible community of talented security researchers who want to help further strengthen our security, so we're thrilled to run this HackerOne program in order to help strengthen our security.\n\nIf you think you've found a vulnerability, please submit it to us so we can assess and process it. We look forward to any and all potential vulnerabilities you may find!\n\n______________________________________________________________________________________________________________________\n\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n\n\n**1. Program Eligibility**\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n\n\n**2. What's allowed/permitted**\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n**3. What's not allowed/not permitted**\n* You may not submit reports from automated scanners and tools\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n**4. Legal**\n\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne response program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may result in removal from the program.\n\n\n\n______________________________________________________________________________________________________________________\n\n\n\n\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\nWhat's required\n=============\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* When testing vulnerabilities in community-driven material, like forums or profiles, you may only test on content you've created. **Do not** attempt to discover findings on any community content other than your own.\n* Payment bypass and/or price bypass findings will only be accepted if you are able to successfully purchase the corresponding item(s). Where applicable, the price may only be changed by 5% and changes must be limited to a single purchase. The purchase price will be reimbursed as part of your bounty if a bounty is granted.\n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n\n\nBounties\n=============\n\nPlease review the table below for examples of severity categories:\n\n|Description|Severity|Potential Bounty|Notes|\n|--|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, and other core infrastructure endpoints|Critical|$15,000||\n|Authentication bypass on Epic Games Store Accounts|Critical|$15,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|Critical|$12,500|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|Critical|$10,000| |\n|Payment process bypass|Critical|$10,000|Complete purchases in-store or in-game without payment|\n|Remote code execution on Epic-owned in-scope assets running vBulletin|Critical|$5,000| |\n|Privilege escalation on in-scope Epic services|High|$7,500|\n\n______________________________________________________________________________________________________________________\nGame Security Severity Guidelines\n=====\n______________________________________________________________________________________________________________________\n\n## Fortnite:\n\n### Critical\n* Being able to enumerate the server IP address of another player in real-time. (Battle Royale)\n* Being able to crash a server that you are not a member of\n* Remote code execution on either the game server or another player’s computer\n\n### High\n* Being able to crash a server that you are a member of\n* Being able to modify weapon or vehicle characteristics that give you a gameplay advantage in a traditional * non-custom Solo BR match\n\n### Medium\n* Being able to crash people in your social party\n* Being able to modify interaction times on reviving players or using medkits\n\n### Low\n* Being able to modify interaction times on looting chests\n\n## Easy Anti-Cheat:\n\n### Critical\n* Remote code execution on either an associated backend server or another player’s computer\n* Remote denial of service by crashing anti-cheat components on another player’s computer\n\n### High\n* Local privilege escalation using the anti-cheat service or driver\n\n### Medium\n* Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory\n* Implementation details of a previously unknown and unique method for preventing anti-cheat detections\n* Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers\n\n______________________________________________________________________________________________________________________\n\nDisclosure Guidelines\n=====\n\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nValid scopes are listed in the Assets section below, which also lists additional information on architecture. We generally follow the OWASP Top 10 Application Security Risks (2017), however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. Eligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n# Datamining Scope\nWhen datamining the approved clients/endpoints only the following findings are accepted:\n* fortnite-public-service-prod11.ol.epicgames.com\n      * Matchmaking data, session information, information disclosure, privilege escalation\n* FortniteClient-Win64-Shipping.exe\n      * Information disclosure, cryptographic weaknesses\n\n\nOut of Scope\n============\n\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Denial of Service / Distributed Denial of Service attacks\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets) are not considered in scope\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-01-14T23:17:17.493Z"},{"id":3659842,"new_policy":"Epic Games recognizes how important strong security is. The Information Security Team at Epic Games is continually working to protect our services, games and our players. Thankfully, there are talented individuals (such as you reading this) who want to help, so we're thrilled to run this HackerOne program in order to help strengthen our security.\n\nIf you think you've found a vulnerability, please submit it to us so we can assess and process it. We look forward to any and all potential vulnerabilities you may find!\n\n______________________________________________________________________________________________________________________\n\nProgram Rules\n============\n______________________________________________________________________________________________________________________\n\n\n**1. Program Eligibility**\n* You are not a resident of, and will not make your submission from, a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)\n\n\n**2. What's allowed/permitted**\n* You will comply with all applicable laws and regulations\n* You will let us know as soon as possible following the discovery of a vulnerability\n* You will follow the disclosure guidelines defined below\n\n**3. What's not allowed/not permitted**\n* You may not submit reports from automated scanners and tools\n* You will not maliciously exploit any vulnerabilities\n* You will not in any way access any private or confidential information pertaining to Epic, our users, and/or any third parties\n* You will not conduct Denial of Service testing nor any other actions that disrupt services\n* You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.\n* You will not conduct social engineering of any Epic employees and/or contractors\n* You will not conduct physical attempts against Epic Games property or data centers\n\n**4. Legal**\n\n* We reserve the right to exclude vulnerabilities for reasons that may not be included in the above list. \n* The Epic Games HackerOne response program will not remove or modify any bans placed on an account.\n* Failure to comply with any or all of these rules may result in removal from the program.\n\n\n\n______________________________________________________________________________________________________________________\n\n\n\n\nReport Submissions\n=============\n______________________________________________________________________________________________________________________\n\nWhat's required\n=============\n* You will only use an account you own that has been created for security testing when demonstrating a vulnerability. ==Your test account must include the phrase “**sectest**” in the username.==\n* When reporting vulnerabilities, you will consider (1) attack scenario/exploitability, and (2) security impact of the bug. These are crucial when determining the severity of your finding.\n* You will provide detailed reports with reproducible steps. Reports which are not detailed enough to reproduce will be closed as NA.\n* You may only submit one vulnerability per report unless multiple vulnerabilities are required to provide an impact.\n* Testing of vulnerabilities like cheats or exploits must be done using minimal proofs of concept and without disrupting gameplay for other users.\n* ==In case any potentially harmful action is required to test or validate a vulnerability or bug, submit your potential finding and ask for permission prior to taking the potentially harmful action. Do not take any potentially harmful actions without the explicit permission of the Epic Games team.==\n\n\n\nBounties\n=============\n\nPlease review the table below for examples of severity categories:\n\n|Description|Severity|Potential Bounty|Notes|\n|--|--|--|--|\n|Remote code execution on in-scope Epic Games game, store, and other core infrastructure endpoints|Critical|$15,000||\n|Authentication bypass on Epic Games Store Accounts|Critical|$15,000|Does not include credential stuffing|\n|Authentication bypass on Epic-owned in-scope assets/services|Critical|$12,500|Does not include credential stuffing and/or brute force|\n|Remote code execution on Epic-owned in-scope assets outside of the Epic Games core infrastructure|Critical|$10,000| |\n|Payment process bypass|Critical|$10,000|Complete purchases in-store or in-game without payment|\n|Remote code execution on Epic-owned in-scope assets running vBulletin|Critical|$5,000| |\n|Privilege escalation on in-scope Epic services|High|$7,500|\n\n______________________________________________________________________________________________________________________\nGame Security Severity Guidelines\n=====\n______________________________________________________________________________________________________________________\n\n## Fortnite:\n\n### Critical\n* Being able to enumerate the server IP address of another player in real-time. (Battle Royale)\n* Being able to crash a server that you are not a member of\n* Remote code execution on either the game server or another player’s computer\n\n### High\n* Being able to crash a server that you are a member of\n* Being able to modify weapon or vehicle characteristics that give you a gameplay advantage in a traditional * non-custom Solo BR match\n\n### Medium\n* Being able to crash people in your social party\n* Being able to modify interaction times on reviving players or using medkits\n\n### Low\n* Being able to modify interaction times on looting chests\n\n## Easy Anti-Cheat:\n\n### Critical\n* Remote code execution on either an associated backend server or another player’s computer\n* Remote denial of service by crashing anti-cheat components on another player’s computer\n\n### High\n* Local privilege escalation using the anti-cheat service or driver\n\n### Medium\n* Implementation details of a previously unknown and unique method for injecting cheats or otherwise accessing the game’s memory\n* Implementation details of a previously unknown and unique method for preventing anti-cheat detections\n* Implementation details of a previously unknown and unique method for spoofing or hiding hardware identifiers\n\n______________________________________________________________________________________________________________________\n\nDisclosure Guidelines\n=====\n\nYou understand that you may not disclose, or permit disclosure of, your findings or contents of your submission to anyone other than Epic or the HackerOne team without prior written approval from Epic Games.\n\nIf you violate this agreement you will be ineligible for bounty payments, swag or any other rewards.\n\n\n______________________________________________________________________________________________________________________\nScope\n=====\n______________________________________________________________________________________________________________________\n\nValid scopes are listed in the Assets section below, which also lists additional information on architecture. We generally follow the OWASP Top 10 Application Security Risks (2017), however, we would still love to hear from you in the event that you discover a vulnerability that is out of scope. Eligibility and bounties for any finding that is not explicitly in scope will be defined by the Epic Games team. This includes any acquisition, affiliate, or subsidiary that is not under the in-scope list.\n\n# Datamining Scope\nWhen datamining the approved clients/endpoints only the following findings are accepted:\n* fortnite-public-service-prod11.ol.epicgames.com\n      * Matchmaking data, session information, information disclosure, privilege escalation\n* FortniteClient-Win64-Shipping.exe\n      * Information disclosure, cryptographic weaknesses\n\n\nOut of Scope\n============\n\n* Vulnerabilities from automated scanners without additional analysis\n* Vulnerabilities relying on out of date browsers/software\n* Clickjacking/UI-redressing\n* XSS only affecting old browser versions\n* Missing or misconfigured security-related HTTP headers that do not directly lead to a vulnerability\n* Mixed content warnings\n* Missing cookie flags that do not directly lead to a vulnerability\n* All types of brute-force and/or credential stuffing attacks (with the exception of faulty or missed rate-limiting)\n* Credentials to individual end-user accounts (Eg: Epic Games Store accounts)\n* Denial of Service / Distributed Denial of Service attacks\n* Social engineering (e.g. phishing, vishing, smishing) attacks\n* Physical security attacks\n* SPF records and flags\n* Text-only injection\n* Password stuffing attacks\n* Bugs/Attacks requiring extremely unlikely actions by a victim (eg: Self-XSS) \n* Adobe Flash related submissions\n* Assets not owned by Epic Games (third party assets) are not considered in scope\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-10-12T16:32:05.906Z"}]