By participating in this program, you agree to:

• Respect the Community Code of Conduct
• Respect the Intigriti Terms and Conditions
• Respect the scope of the program
• Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Eligibility:
You are not eligible to participate in this program if you are underage or you do not have the authority in your own capacity to enter into a binding agreement on the terms and conditions of this program.

If you are a current or former Ubisoft employee within six months since the day of your departure, findings are not eligible for rewards.

Report Format and POC:
It is a requirement when reporting to this program that you provide a proof-of-concept (POC) demonstrating a vulnerability and explaining, to the best of your knowledge, the security impact.

What needs to included with the proof-of-concept:

• Description of how the vulnerability was identified
• Full and detailed reproduction steps
• A clear and concise description of the severity and the impact
• Any videos or images that are relevant to the report
• An accurate CVSS score

Including the above and any additional supporting information regarding the vulnerability(CVEs, blog posts, etc.) will assist us greatly with reviewing and processing your report.

Use your own account for testing purposes. Do not attempt to gain access to another user’s account or compromise any confidential user or Ubisoft information.

In all cases where OS or database access is obtained, please use only schema and versions to prove a vulnerability. Do not access data on disk or in tables (SQL Injection, LFI, etc) if possible.

Bans received while testing for issues will not be reversed.

Researchers should always refrain from impacting any other players within the game/s

Nondisclosure:
This program does not allow disclosure. You may not release information about
vulnerabilities found in this program to the public.

You agree that any and all information, data or document of any kind regardless of form accessed by you within Ubisoft’s information systems or services of any kind or transmitted by Ubisoft shall be treated as strictly confidential.

This program requires explicit permission from Ubisoft to disclose any of Ubisoft’s information, including without limitation the results of a submission.

Modification:
Ubisoft reserves the right to change or modify the terms of this program at any time without notification to you.

Please check for any updates to this program before making a new submission.

Duplicates:

• Identical issues across different production and non-production environment counterparts will be considered duplicates.
• Identical issues across different subdomains that share code will be considered duplicates.
• Issues that are found to be systemic with the same root cause will be considered duplicates.
• Issues already identified internally will be considered duplicates.

Personal Data:
This program does not imply that you should, in any way or in any case, be looking for personal
data in your research. If you come across personal data that is not meant to be public during your testing, please stop your testing and report the behavior.

In accordance with the law, the term “personal data” covers a broad scope of information which allow for the identification of an individual, directly or indirectly. This means that “personal data” includes -but is not limited to – the following type of information: email address, username, Ubisoft ID, IP address, postal address, chat logs, in-game activity, etc.

In case you found personal data during your research, stop right there: any personal data found in your research is out of scope. Do not seek for any supplementary access to personal data and restrain from storing any of this personal data on your device. Any action involving the use, storage, copy or disclosure of personal data found in the context of this bounty is strictly
unauthorized.

You should be aware that in case you do not comply with the aforementioned Ubisoft’s requirements regarding personal data in the context of this bounty, you will be in breach of the applicable data protection law, including the European Union General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). Ubisoft reserves the right to take any necessary action, including lodging a complaint to the national data protection authority, in case you do not comply with such requirements.

More Information regarding testing
You should never illegally or in bad faith leverage the existence of a vulnerability or access to sensitive or confidential information, such as making extortionate demands or ransom requests or trying to shake us down. In other words, if you find a vulnerability, report it to us with no conditions attached.

Don’t do more harm than good. You should not leave systems or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, like attacks that require social engineering/phishing (or unlikely user interaction) on users, players, Ubisoft employees or contractors. Any similar action that interferes with a user's privacy, security or
experience is not allowed.

If at any point while researching a vulnerability, you are unsure whether you should continue, immediately engage with our Bug Bounty team.

Active in-scope Game Titles - last updated 08/12/25

Platforms: all officially supported platforms and distribution channels for each title (e.g., PC, PlayStation, Xbox, Switch, iOS, Android, cloud services, and web-based games playable in a web browser).

• R6 Siege
• TCTD2
• For Honor
• Skull & Bones
• The Crew: Motorfest
• Just Dance
• Watch Dogs Legion
• Laser
• Genesis
• GR: Wildlands
• AC: Shadows
• Hungry Shark World
• Hungry Shark Evolution
• Invincible
• Howrse
• Brawlhalla
• R6Mobile
• M&M Era of Chaos
• JD:Now
• AC Mirage
• AC Shadows
• POP Lost Crown

Example Vulnerability Categories (Non-Exhaustive):

• Remote code execution in the game client via network/protocol inputs or update channels; RCE or injection on game backends/services.
• Account takeover via Ubisoft Connect or in-game auth flows.
• Authorization flaws exposing or modifying player data, inventories, entitlements, cloud saves, or UGC.
• Economy integrity issues (e.g., unauthorized currency/item grants, duplication, purchase verification bypass).
• Rank/MMR/leaderboard manipulation via backend/API weaknesses.
• Significant player data exposure (e.g., PII, session tokens, auth secrets).
• Impactful implementation flaws in the core game loop. i.e. Unkillable in a deathmatch, Teleport, Abusable skills, Instant Win. Impersonation of a player during a game session.

In-scope Assets - Corporate, Web, Desktop and Mobile applications:

• Public-facing web applications and APIs owned and operated by Ubisoft (e.g., *.ubisoft.com, *.ubi.com, *.ubisoftconnect.com).
• Official desktop applications (e.g., Ubisoft Connect and similar Ubisoft-owned client software) and official mobile applications (iOS/Android). Mobile applications that provide corporate services, account management, companion functionality, or other non‑game features are in scope; mobile games are excluded (see Game‑specific exclusions).
• Corporate/online services and infrastructure exposed to the internet where Ubisoft is the owner/operator (e.g., partner/employee portals, admin panels, CDNs, storage endpoints).

Example Vulnerability Categories (Non-Exhaustive):

• Authentication and session issues leading to account takeover (e.g., insecure password reset, MFA bypass, OAuth/OIDC flaws).
• Authorization/access control issues (e.g., IDOR, vertical/horizontal privilege escalation).
• Injection and remote code execution (e.g., SQLi, command/template injection, insecure deserialization).
• SSRF with demonstrable impact (e.g., access to cloud metadata or internal services resulting in credential or sensitive data exposure).
• Significant data exposure (e.g., PII, credentials, tokens, source code, sensitive configurations).
• Business logic flaws with security impact (e.g., bypassing purchase verification, unauthorized actions).
• Subdomain takeover with a working takeover proof-of-concept and demonstrated impact.
• Misconfigurations exposing sensitive data or control (e.g., publicly readable storage with sensitive content, exposed admin interfaces with weak authentication).

General

• Any domain that does not fall under the above in-scope list is out of scope for this program.
• Any game that falls under the above out of scope for this program.

Out-of-Scope

• Low‑impact/informational issues: missing security headers or cookie flags, verbose/error messages, banner/version disclosure, metadata in files, best‑practice violations (password policies, autocomplete), XML‑RPC, etc.
• Client‑side / non‑exploitable XSS and similar: self‑XSS, reflected XSS that requires unrealistic user interaction or cannot compromise other users, same‑site scripting, harmless CSV/content injection.
• Findings lacking demonstrated impact or PoC: API keys/tokens or host/CORS issues with no business impact, blind SSRF/HTTP smuggling/pingbacks without proof, subdomain takeover claims without an actual takeover, arbitrary upload without an accessible file.
• Enumeration, nuisance and social attacks: username/email enumeration, email bombing, spam, social engineering, phishing, or physical intrusion.
• Availability / destructive testing: DoS/DDoS, large‑scale brute force, or tests that intentionally degrade services.
• Third‑party, unsupported or out‑of‑control systems: vulnerabilities not under Ubisoft’s control (third‑party services, integrations), or issues in software that no longer receives security updates.
• Duplicate/theoretical reports: vulnerabilities already known to Ubisoft, or purely theoretical issues with no realistic attack surface or exploit scenario.
• Mobile specifics: issues only exploitable on jailbroken/rooted devices, runtime hacks requiring compromised devices, clipboard/URI leaks caused by other apps, or missing obfuscation/pinning without demonstrable impact.
• Game specifics: cheat/anti‑cheat bypasses, single‑player‑only bugs not stemming from multiplayer, crafted game/demo/content requirements, non‑standard launch conditions, general gameplay glitches, or reports about specific cheating/mod communities.
• Same technical stack / cross‑domain duplicates: reports that identify the same root cause or exploit vector in multiple hosts that share the same application/codebase/technical stack (for example the same website deployed across different domains or environments) may be considered duplicates. If the vulnerability, exploitability and business impact are effectively identical across those hosts, only one report will typically be required and may be eligible for a single reward. Exceptions may be made when different hosts represent distinct products, tenants or user populations and the impact differs materially. To avoid duplicate submissions and help triage, include in your report which domains/hosts you tested and whether the PoC applies to each.

Corporate, Web, Desktop & Mobile - assessed with CVSS v4

• Low
  • CVSS 0.1–3.9
• Medium
  • CVSS 4.0–6.9
• High
  • CVSS 7.0–8.9
• Critical
  • CVSS 9.0–9.4
• Exceptional
  • CVSS 9.5–10.0

Notes: CVSS v4 is used to triage severity for non‑game exploits. Please check this section periodically — thresholds and handling may be adjusted over time.

Game titles (in-game vulnerabilities - handled case-by-case)

• Low
  • Ban bypasses (banned player can still matchmake/play)
  • Social filter bypasses (blocked/muted player can still communicate)
• Medium
  • Monetary/economy impact (gain hard currency, affect multiplayer economy, obtain store‑only items replicated to others)
  • Local privilege escalation related to Ubisoft Connect
  • Significant core game‑loop flaws (e.g., unkillable in deathmatch, teleport, abusable skills, instant win, impersonation during session)
• High
  • Broad denial-of-service affecting a large player base or Ubisoft services (explicitly excludes internet-scale DDoS testing)
• Critical / Exceptional
  • Universal account takeover (affecting all players)
  • Remote code execution on game servers or Ubisoft infrastructure
  • Remote code execution impacting other players

Notes: in‑game severities are evaluated per‑finding with context (exploitability, scope, persistence). If unsure, submit the report — cases not listed above will be considered.

Where can we get credentials for the iOS, Android and Windows Platforms?

Please use the self registration forms to gain access to the game on iOS and Android platform.
Please ensure to use your '@intigriti.me' email address.

Reminder that any bans incurred during testing will not be reversed.