Description

InnoGames is Germany’s leading developer and publisher of mobile and online games. The company based in Hamburg and has a team of more than 400 employees.

Bounties
Low
0.1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 9.4
Exceptional
9.5 - 10.0
Tier 2
100
300
750
1,500
2,000
Tier 2
€100 - €2,000
Rules of engagement
Required
Not applicable
max. 1 request /sec
Not applicable

Our promise to you

  • We will respond to report in ultimately five working days, probably faster!
  • We are happy to respond to any questions, please use the button in the right top corner for this.
  • We respect the safe harbour clause that you can find below

Your promise to us

  • Provide detailed but to-the point reproduction steps
  • Include a clear attack scenario. How will this affect us exactly?
  • Remember: quality over quantity!
  • Please do not discuss or post vulnerabilities without our consent (including PoC's on YouTube and Vimeo)
  • Please do not use automatic scanners -be creative and do it yourself! We cannot accept any submissions found by using automatic scanners. Scanners also won't improve your skills, and can cause a high server load (we'd like to put our time in thanking researchers rather than blocking their IP's 😉)
Domains

*.igpayment.com

Tier 2
Wildcard

This is our payment environment used in all of our games.

Note for automated-scanning:
We are happy that you are as enthusiastic as we are about this program!
To not impact our live-systems and other researchers too much, we ask you to keep your automated scanners on a scan rate of 1 request/s.

*.innogames.com

Tier 2
Wildcard

Note for automated-scanning:
We are happy that you are as enthusiastic as we are about this program!
To not impact our live-systems and other researchers too much, we ask you to keep your automated scanners on a scan rate of 1 request/s.

*.innogames.de

Wildcard

Notes for login.innogames.de
This is our central login and account management tool. We do not provide accounts for this service and there are no registration pages available.

Note for automated-scanning:
We are happy that you are as enthusiastic as we are about this program!
To not impact our live-systems and other researchers too much, we ask you to keep your automated scanners on a scan rate of 1 request/s.

Severity assessment

Ratings and Rewards

For the initial prioritisation/rating of findings, this program will use the CVSS classifications. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Exceptional

  • RCE (Remote Code Execution)

Critical

  • Access to restricted customer data (e.g. email address , personal messages)
  • SQL injection

High

  • Stored XSS without user interaction
  • Account Takeover
  • Authentication bypass on critical infrastructure

Medium

  • XSS
  • CSRF

Low

  • Open redirect
FAQ

Coming back in 2025

Where can we get credentials for the app?

For the games: You can self-register on the application but please don’t forget to use your @intigriti.me address.
For the internal services/admin tools there will be no credentials. Consider this a black-box test.

Premium Testing Credit - Currency (Diamonds)

Feel free to create as many accounts as you need in order to efficiently test the game ecosystem. Every registered account will receive an amount of 250.000 diamonds in order to facilitate testing of the premium parts of the game. If you need more, just let us know.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.