By participating in this program, you agree to:
- Respect the Community Code of Conduct
- Respect the Intigriti Terms and Conditions
- Respect the scope of the program
- Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)
You are not eligible to participate in this program if you are underage or you do not have the authority in your own capacity to enter into a binding agreement on the terms and conditions of this program.
If you are a current or former Ubisoft employee within six months since the day of your departure, findings are not eligible for rewards.
Report Format and POC:
You must provide a proof-of-concept (POC) demonstrating a vulnerability and explain to the best of your knowledge the security impact.
Use your own account for testing purposes. Do not attempt to gain access to another user’s account or compromise any confidential user or Ubisoft information.
In all cases where OS or database access is obtained, please use only schema and versions to prove a vulnerability. Do not access data on disk or in tables (SQL Injection, LFI, etc) if possible.
Bans received while testing for issues will not be reversed.
Researchers should always refrain from impacting any other players within the game/s
This program does not allow disclosure. You may not release information about
vulnerabilities found in this program to the public.
You agree that any and all information, data or document of any kind regardless of form accessed by you within Ubisoft’s information systems or services of any kind or transmitted by Ubisoft shall be treated as strictly confidential.
This program requires explicit permission from Ubisoft to disclose any of Ubisoft’s information, including without limitation the results of a submission.
Ubisoft reserves the right to change or modify the terms of this program at any time without notification to you.
Please check for any updates to this program before making a new submission.
• Identical issues across different production and non-production environment counterparts will be considered duplicates.
• Identical issues across different subdomains that share code will be considered duplicates.
• Issues already identified internally will be considered duplicates.
This program does not imply that you should, in any way or in any case, be looking for personal
data in your research.
In accordance with the law, the term “personal data” covers a broad scope of information which allow for the identification of an individual, directly or indirectly. This means that “personal data” includes -but is not limited to – the following type of information: email address, username, Ubisoft ID, IP address, postal address, chat logs, in-game activity, etc.
In case you found personal data during your research, stop right there: any personal data found in your research is out of scope. Do not seek for any supplementary access to personal data and restrain from storing any of this personal data on your device. Any action involving the use, storage, copy or disclosure of personal data found in the context of this bounty is strictly
You should be aware that in case you do not comply with the aforementioned Ubisoft’s requirements regarding personal data in the context of this bounty, you will be in breach of the applicable data protection law, including the European Union General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). Ubisoft reserves the right to take any necessary action, including lodging a complaint to the national data protection authority, in case you do not comply with such requirements.
More Information regarding testing
You should never illegally or in bad faith leverage the existence of a vulnerability or access to sensitive or confidential information, such as making extortionate demands or ransom requests or trying to shake us down. In other words, if you find a vulnerability, report it to us with no conditions attached.
Don’t do more harm than good. You should not leave systems or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, like attacks that require social engineering/phishing (or unlikely user interaction) on users, players, Ubisoft employees or contractors. Any similar action that interferes with a user's privacy, security or
experience is not allowed.
If at any point while researching a vulnerability, you are unsure whether you should continue, immediately engage with our Bug Bounty team.