Riot has offered hackers up to $100,000 to find vulnerabilities in Valorant’s controversial anti-cheat.
The recent release of competitive PC shooter Valorant in closed beta form was accompanied by the release of Riot’s new anti-cheat solution, dubbed Vanguard.
Earlier this month, fans raised concerns about user security and privacy after discovering Vanguard is more invasive that other anti-cheat solutions.
Currently, if you download and play Valorant, then Vanguard is automatically installed on your computer, and it always runs with high privileges (the driver component runs in kernel-mode, as opposed to user-mode).
Without revealing exactly how Vanguard works, Riot explained its decision in a blog post: “If anti-cheat software is only run in user-mode, its capabilities would be compromised by a cheat running at a higher privilege level. For example, some of the more advanced cheating communities have used Direct Memory Access (DMA) to rebroadcast memory to a separate computer for later processing.”
Riot then insisted Vanguard does not collect or process any personal information beyond what the current League of Legends anti-cheat solution does, and revealed the Vanguard driver (kernel-mode) is used by the client to validate memory and system state, and to make sure the client has not been tampered with.
“Riot does not want to know more about you or your machine than what is necessary to maintain high integrity in your game,” Riot said.
However, Riot has also taken the extra step of offering a huge bounty pot for Vanguard exploit reports. It listed a handful of Valorant-specific bounties on HackerOne, a website where companies can offer rewards to hackers who expose security issues in their software. The maximum reward is $100,000, which relates to code execution on the kernel level that involves a network attack with no user interaction.
“To reinforce our commitment to our players’ security, we are offering special bounties for up to $100,000 for high quality reports that demonstrate practical exploits leveraging the Vanguard kernel driver,” Riot said.
“If you’re able to help us protect our players and their data by responsibly identifying new security issues for us to fix, you are awesome and we want to reward you.”
Riot’s use of HackerOne isn’t new – it has run a bug bounty program on the website for the past six years, rewarding hackers almost $2m in bounties.
However, this special scope for Vanguard and the higher bounties that come with it is indeed new, and clearly an attempt to convince sceptical PC gamers of Riot’s commitment to protecting user data, while keeping its anti-cheat competitive.
Well it sucks, but today we had to ban our first cheater (and it looks like more bans are on the horizon).
I was hoping for a little more time before this fight kicked off but we’re in it now and we’re ready.
— Paul Chamberlain (@arkem) April 9, 2020
Cheating is one of the biggest issues in competitive gaming, and Valorant fans are hoping the game doesn’t suffer a significant hacker problem when it eventually hits open beta. The question for Riot is, can it keep its anti-cheat effective without making it so intrusive as to cause a player backlash?
“Please keep holding us accountable for protecting both the competitive integrity of your games and your personal privacy,” Riot said.