Ubisoft is a leading video game company, the creators of original and immersive worlds like Assassin's Creed, Far Cry, The Crew or Watch Dogs. This engagement is specifically for Growtopia and related assets. Please refer to the In Scope Target list for more information.
We welcome the reporting of security vulnerabilities that would help us protect our assets and players
You are not eligible to participate in this program if you are underage or you do not have the authority in your own capacity to enter into a binding agreement on the terms and conditions of this program.
If you are an Ubisoft employee, findings are not eligible for rewards
Report Format and POC
You must provide a proof-of-concept (POC) demonstrating a vulnerability and explain to the best of your knowledge the security impact.
Use your own account for testing purposes. Do not attempt to gain access to another user’s accounts or compromise any user or Ubisoft confidential information
This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.
You agree that any and all information, data or document of any kind regardless of form accessed by you within Ubisoft’s information systems or services of any kind or transmitted by Ubisoft shall be treated as strictly confidential.
This program requires explicit permission from Ubisoft to disclose any of Ubisoft’s information, including without limitation the results of a submission.
Ubisoft reserves the right to change or modify the terms of this program at any time without notification to you. Please check for any updates to this program before making a new submission.
- Identical issues across different production and non-production environment counterparts will be considered duplicates.
- Identical issues across different sub domains that share code will be considered duplicates.
- Issues already identified internally will be considered duplicates.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. Most changes in the priority will follow the following matrix.
|P1||Access to game servers to manipulate code or change data through any mean|
|P2||Access to developer/ moderator account|
|P3||Game exploits that can cause repeated game outages via packet manipulation Game exploits that can be used to duplicate items in the game|
|P4||Game exploits to take game action on other players behalf without their consent via packet manipulation Game exploits to interpret other players game data|
In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Scope and rewards
|Technical severity||Reward range|
|p1 Critical||$6,100 - $6,500|
|p2 Severe||$2,100 - $2,500|
|p3 Moderate||$850 - $1,000|
|p4 Low||$300 - $500|