Good strategy online games are what Forge of Empires stands for. As a chieftain who founds his settlement anno 5000 B.C. in the Stone Age with little more than a few tents, it is your task to show your online strategy game skills and develop your city through the ages of history in this browser based empire game. Prove yourself a worthy ruler and lead your reign to glory!
We have set up an exclusive world on our most-played game
Forge of Empires to be hacked! Enjoy the daily-deployed game updates constantly introducing new attack surface, and the free premium in-game currency!
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Reports - Bonus Reward
For very well-written reports and/or reports that fully describe exploit chains, researchers will receive an additional 10% reward bonus (minimum). Bonus rewards are given at the sole discretion of the InnoGames customer triage team.
Reports - Impact Descriptions
Submissions that do NOT include an impact description & proof-of-concept will not be rewarded.
- For example, an XSS vulnerability report should include proof of the vulnerability AND proof that a user's cookie can actually be stolen, rather than just assuming the vulnerability's impact.
- If a submission does not contain an impact description, is not fully explained, or the impact of the vulnerability is assumed, the submission will not be eligible for reward.
Reports - Proof-of-Concept File Uploads
Do not upload any vulnerability-related information to 3rd-party services (e.g. Google, YouTube, Dropbox, or Tinyurl). Try to include all your PoC screenshots/videos as an attachment to your report (up to 50MB), if this is not possible, please leave a note in the report about it and email firstname.lastname@example.org.
Reward RangeLast updated
|Technical severity||Reward range|
|p1 Critical||$2,000 - $3,000|
|p2 Severe||$1,000 - $2,000|
|p3 Moderate||$500 - $1,000|
|p4 Low||$100 - $500|
Any domain/property of Forge Of Empires or InnoGames which is not listed in the targets section above is out of scope. This includes any/all subdomains not listed above.
Forge of Empires Mobile Application (iOS and Android)
https://rink.hockeyapp.net/recruit/a2f798c932964ab48542149b10798814- The HockeyApp versions have a special test market (XS) that is pinned for the app. On this market (the same as the webversion) you will receive a massive amount of premium to be able to check all functions of the game.
xs.forgeofempires.com- This is our game landing page system which is used to signup, login and get news about the game
xs0.forgeofempires.com- This is our game master server which stores information about all worlds available - in this case only xs1
xs1.forgeofempires.com- This is the actual game world where all the game logic resides and the player gets redirected to
Create a Testing Account:
- Go to
https://xs.forgeofempires.comand signup using your @bugcrowdninja.com email address (see here for more info on @bugcrowdninja emails: https://researcherdocs.bugcrowd.com/docs/your-bugcrowdninja-email-address)
- Once logged in, choose the
- We have created an exclusive world for you called
Arvahallto hack all the things!
Premium Testing Credit - Currency (Diamonds)
Feel free to create as many accounts as you need in order to efficiently test the game ecosystem. Every registered account will receive an amount of
250.000 diamonds in order to facilitate testing of the premium parts of the game. If you need more, just let us know.
Note on Flash/HTML5 Versions
We do currently run two versions of the game: one is Flash-based and deprecated and one is based on HTML5. We have enforced the HTML5 version on the in-scope assets and only accept vulnerabilities affecting the HTML5 version. (which is to say the flash version is out-of-scope)
Besides the classic web-based vulnerability classes such as XSS, CSRF, IDOR, SQLi, RCE, we are mostly interested in security vulnerabilities that affect the game's ecosystem in a negative manner, such as:
- Disclosure of PII from other player accounts
- Manipulation of the city of other players
- Cheating in battles against other players
- All other localized versions of live markets (de.forgeofempires.com, en.forgeofempires.com, etc.)
- The Flash version of
Forge of Empires
- All bugs that allow an individual to gain only personal advantages
- Vulnerability reports without proven exploitability
- Theoretical issues or otherwise unproven assumptions without a proof of exploitability
- Denial of Service (DoS) attacks of any kind
- Physical and social engineering attacks
- Results of automated scanners
- Internal pivoting, scanning, exploiting, or exfiltrating data from internal InnoGames systems
- Outdated, known-vulnerable software without a fully functional exploit
- Any URIs leaked because a malicious app has permission to view URIs opened
- Certificate hard-coded/recoverable in apk/ipa
- Sensitive data in request bodies when protected by TLS
- Any kind of sensitive data stored in app private directory