Intigriti
Description

Ubisoft is a leading video game company, the creators of original and immersive worlds like Assassin's Creed, Far Cry, The Crew, Rainbow Six and Watch Dogs. We welcome the reporting of security vulnerabilities that would help us protect our players and assets.

Bounties

This is a responsible disclosure program without bounties.

Rules of engagement
Required
Not applicable
max. 2 requests/sec
X-Intigriti-Username: {Username}

By participating in this program, you agree to:

  • Respect the Community Code of Conduct
  • Respect the Intigriti Terms and Conditions
  • Respect the scope of the program
  • Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Eligibility:
You are not eligible to participate in this program if you are underage or you do not have the authority in your own capacity to enter into a binding agreement on the terms and conditions of this program.

If you are a current or former Ubisoft employee within six months since the day of your departure, findings are not eligible for rewards.

Report Format and POC:
It is a requirement when reporting to this program that you provide a proof-of-concept (POC) demonstrating a vulnerability and explaining, to the best of your knowledge, the security impact.

What needs to included with the proof-of-concept:

  • Description of how the vulnerability was identified
  • Full and detailed reproduction steps
  • A clear and concise description of the severity and the impact
  • Any videos or images that are relevant to the report
  • An accurate CVSS score

Including the above and any additional supporting information regarding the vulnerability(CVEs, blog posts, etc.) will assist us greatly with reviewing and processing your report.

Use your own account for testing purposes. Do not attempt to gain access to another user’s account or compromise any confidential user or Ubisoft information.

In all cases where OS or database access is obtained, please use only schema and versions to prove a vulnerability. Do not access data on disk or in tables (SQL Injection, LFI, etc) if possible.

Bans received while testing for issues will not be reversed.

Researchers should always refrain from impacting any other players within the game/s

Nondisclosure:
This program does not allow disclosure. You may not release information about
vulnerabilities found in this program to the public.

You agree that any and all information, data or document of any kind regardless of form accessed by you within Ubisoft’s information systems or services of any kind or transmitted by Ubisoft shall be treated as strictly confidential.

This program requires explicit permission from Ubisoft to disclose any of Ubisoft’s information, including without limitation the results of a submission.

Modification:
Ubisoft reserves the right to change or modify the terms of this program at any time without notification to you.

Please check for any updates to this program before making a new submission.

Duplicates:

  • Identical issues across different production and non-production environment counterparts will be considered duplicates.
  • Identical issues across different subdomains that share code will be considered duplicates.
  • Issues that are found to be systemic with the same root cause will be considered duplicates.
  • Issues already identified internally will be considered duplicates.

Personal Data:
This program does not imply that you should, in any way or in any case, be looking for personal
data in your research. If you come across personal data that is not meant to be public during your testing, please stop your testing and report the behavior.

In accordance with the law, the term “personal data” covers a broad scope of information which allow for the identification of an individual, directly or indirectly. This means that “personal data” includes -but is not limited to – the following type of information: email address, username, Ubisoft ID, IP address, postal address, chat logs, in-game activity, etc.

In case you found personal data during your research, stop right there: any personal data found in your research is out of scope. Do not seek for any supplementary access to personal data and restrain from storing any of this personal data on your device. Any action involving the use, storage, copy or disclosure of personal data found in the context of this bounty is strictly
unauthorized.

You should be aware that in case you do not comply with the aforementioned Ubisoft’s requirements regarding personal data in the context of this bounty, you will be in breach of the applicable data protection law, including the European Union General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). Ubisoft reserves the right to take any necessary action, including lodging a complaint to the national data protection authority, in case you do not comply with such requirements.

More Information regarding testing
You should never illegally or in bad faith leverage the existence of a vulnerability or access to sensitive or confidential information, such as making extortionate demands or ransom requests or trying to shake us down. In other words, if you find a vulnerability, report it to us with no conditions attached.

Don’t do more harm than good. You should not leave systems or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, like attacks that require social engineering/phishing (or unlikely user interaction) on users, players, Ubisoft employees or contractors. Any similar action that interferes with a user's privacy, security or
experience is not allowed.

If at any point while researching a vulnerability, you are unsure whether you should continue, immediately engage with our Bug Bounty team.

Domains

Ubisoft

Tier 2
Other

Ubisoft services available from the internet and any software developed by Ubisoft that is not listed as Out of Scope. This includes our web applications, servers, and all our game(s) within 1 year of the last patch/update.

Out of scope
URL
Out of scope
URL
In scope

Focus Areas
• Web security (Example: exploitable SQL injection)
• Certain game exploits (Example: Major impact on other players, Remote Code Execution, or disclosure of player PII through the game)
• Other security concerns (Example: Infrastructure security problems, information disclosure issues)

Please self sign up for any testing accounts using your @intigriti.me email.

Any bans incurred during testing will not be reversed.

Check out our:

Videos
Website
Information about Ubisoft

ubisoft1.png
{373943} 1/12/2023, 1:40:04 PM
Out of scope

Domains

Application

  • API key disclosure without proven business impact
  • Reflected XSS in all parameters on www.ubisoft.com
  • Wordpress usernames disclosure
  • Pre-Auth Account takeover/OAuth squatting
  • Self-XSS that cannot be used to exploit other users
  • Verbose messages/files/directory listings without disclosing any sensitive information
  • CORS misconfiguration on non-sensitive endpoints
  • Missing cookie flags
  • Missing security headers
  • Cross-site Request Forgery with no or low impact
  • Presence of autocomplete attribute on web forms
  • Reverse tabnabbing
  • Bypassing rate-limits or the non-existence of rate-limits.
  • Best practices violations (password complexity, expiration, re-use, etc.)
  • Clickjacking without proven impact/unrealistic user interaction
  • CSV Injection
  • Sessions not being invalidated (logout, enabling 2FA, etc.)
  • Tokens leaked to third parties
  • Anything related to email spoofing, SPF, DMARC or DKIM
  • Content injection without being able to modify the HTML
  • Username/email enumeration
  • Email bombing
  • HTTP Request smuggling without any proven impact
  • Homograph attacks
  • XMLRPC enabled
  • Banner grabbing/Version disclosure
  • Not stripping metadata of files
  • Same-site scripting
  • Subdomain takeover without taking over the subdomain
  • Arbitrary file upload without proof of the existence of the uploaded file
  • Blind SSRF without proven business impact (pingbacks are not sufficient)
  • Disclosed/misconfigured Google Maps API keys
  • Host header injection without proven business impact

General

  • In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
  • Spam, social engineering and physical intrusion
  • DoS/DDoS attacks or brute force attacks
  • Vulnerabilities that only work on software that no longer receive security updates
  • Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
  • Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
  • Reports that state that software is out of date/vulnerable without a proof-of-concept
  • Vulnerabilities that are not under Ubisoft control, such as bugs in 3rd party authentications (attacks specifically against our implementation are fine)
  • Any vulnerability obtained through the compromise of a Ubisoft staff or player account: if you need to test a vulnerability, create another account; don’t take someone else’s. This type of activity will result in disqualification from the program permanently

Mobile

  • Shared links leaked through the system clipboard
  • Any URIs leaked because a malicious app has permission to view URIs opened
  • The absence of certificate pinning
  • Sensitive data in URLs/request bodies when protected by TLS
  • Lack of obfuscation
  • Path disclosure in the binary
  • Lack of jailbreak & root detection
  • Crashes due to malformed URL Schemes
  • Lack of binary protection (anti-debugging) controls, mobile SSL pinning
  • Snapshot/Pasteboard leakage
  • Runtime hacking exploits (exploits only possible in a jailbroken environment)
  • API key leakage used for insensitive activities/actions

Game

  • Bypassing Anti-Cheat mechanisms in game(s)
  • Attacks that only affect or are only triggered in single-player games that are not caused by a previous multiplayer session (e.g., game files or resources downloaded by a game server)
  • Reports that require the user to open a crafted game demo file.
  • Reports that require crafted content (maps, sounds, mods, etc)
  • Techniques that require the game to be run in a non-standard way - for example, with a debugger attached or with unusual startup parameters.
  • General game bugs/Glitches (NPC stops following player during quest, wall hacks, etc)
  • Specific cheaters, mods, or mod developers, nor does this program apply to links to cheating forums, discords, social media handles, or any other references to known cheat / modding resources
Severity assessment

This program utilizes CVSS v3 to assess the severity of reports for none in-game exploits.

Exceptional
CVSS range: 9.5 - 10.0

Critical
CVSS range: 9.0 - 9.4

High
CVSS range: 7.0 - 8.9

Medium
CVSS range: 4.0 - 6.9

Low
CVSS range: 0.1 - 3.9

Please check back to this section frequently as we will be making adjustments as time goes on.

General
The below severity table is specific to any in-game vulnerability. Note that all the severities of in-game vulnerabilities will be handled on a case by case situation.

Low
* Ban bypasses; i.e. a banned player can still matchmake and play online.
* Social filter bypasses; i.e. a blocked/muted player can still communicate with you. (we don’t care about bypassing language filters)

Medium
* Monetization (Ability to gain Hard Currency or Affecting Game Economy in a multiplayer settings or Obtaining Store-only items that will be replicated to others)
* Local Privilege Escalation (Ubisoft Connect)
* Impactful implementation flaws in the core game loop. i.e. Unkillable in a deathmatch, Teleport, Abusable skills, Instant Win. Impersonation of a player during a game session.

High
o Denial of service that can affect a large number of players or Ubisoft on a large scale. (No DDoS)

Critical/Exceptional
* Vulnerabilities resulting in Account takeovers of every player,
* Remote code execution on the gaming server/Ubisoft infra.
* Remote code execution on other players.

FAQ

Where can we get credentials for the iOS, Android and Windows Platforms?

Please use the self registration forms to gain access to the game on iOS and Android platform.
Please ensure to use your '@intigriti.me' email address.

Reminder that any bans incurred during testing will not be reversed.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Researchers
last contributors
logo
logo
logo
logo
logo
logo
leaderboard
logo
logo
logo
logo
logo
logo
Last 90 day response times
avg. time first response
< 3 days
avg. time to decide
+3 weeks
avg. time to triage
< 3 days
Activity
6/21
Ubisoft
closed a submission
6/20
Ubisoft
closed a submission
6/20
Ubisoft
closed a submission
6/20
Ubisoft
closed a submission
6/19
Ubisoft
closed a submission
6/19
Ubisoft
closed a submission
6/19
Ubisoft
closed a submission
6/19
Ubisoft
closed a submission
6/18
logo
created a submission
6/17
logo
created a submission