Description

Creators of hit computer game franchises Bloons, Bloons TD and SAS: Zombie Assault for mobile and web. We have offices in Auckland, New Zealand and Dundee, Scotland. We are excited to engage with the security community to help us keep our users safe and our services secure. This is our second Bug Bounty program after a successful campaign in 2021.

Bounties
Low
0.1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 9.4
Exceptional
9.5 - 10.0
Tier 1
165
1,080
2,060
3,300
4,125
Tier 1
€165 - €4,125
Tier 2
110
715
1,375
2,200
2,750
Tier 2
€110 - €2,750
Tier 3
75
450
865
1,400
1,700
Tier 3
€75 - €1,700
Rules of engagement
Not applicable
Not applicable
max. 10 requests /sec
Not applicable

By participating in this program, you agree to:

  • Respect the Community Code of Conduct
  • Respect the Intigriti Terms and Conditions
  • Respect the scope of the program
  • Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Validation times
We will validate all submissions within the below timelines, once your submission has been verified by Intigriti.
Submissions validated outside of this may be awarded a €25 bonus.

Vulnerability Severity Time to validate
Exceptional 2 Working days
Critical 2 Working days
High 5 Working days
Medium 15 Working days
Low 15 Working days

This remains at the discretion of the Ninja Kiwi Games to award.

Check our fix
We offer up to €50 bonus to verify a resolved issue for us (when requested).
This remains at the discretion of Ninja Kiwi Games to award.

Domains

This domain hosts the API that consumed analytics events from our game clients

This domain hosts the API for our mobile and PC games. Monitoring traffic through one of our game clients is the easiest method to investigate our main API. Most of our applications are available for free on Steam. Please carefully read the in-scope section regarding what sorts of exploits will be considering in-scope for this domain.

This domain hosts builds of Ninja Kiwi games for iOS devices.

Areas of focus:

  • The ability to download any valid build from this service will be considered a CRITICAL vulnerability.
  • We will reward any enumeration of available game builds with a Medium bounty.
Severity assessment

This program follows Intigriti's contextual CVSS standard

FAQ

Where can we get credentials for the app?

For the domain api.ninjakiwi.com, you can sign up for a free account from inside any of our recent games. Most of these games are free to play and are available on mobile stores as well as Steam.

For mynk.ninjakiwi.com you can create a free account in our NK Archive application and then launch any of our legacy flash games (Bloons TD 5, etc)

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.