Ubisoft is a leading video game company, the creators of original and immersive worlds like Assassin's Creed, Far Cry, The Crew, and Watch Dogs.
We welcome the reporting of security vulnerabilities that would help us protect our
assets and players.
You are not eligible to participate in this program if you are underage or you do not have the authority in your own capacity to enter into a binding agreement on the terms and conditions of this program.
If you are an Ubisoft employee, findings are not eligible for rewards.
Report Format and POC:
You must provide a proof-of-concept (POC) demonstrating a vulnerability and explain to the best of your knowledge the security impact.
Use your own account for testing purposes. Do not attempt to gain access to another user’s account or compromise any confidential user or Ubisoft information.
In all cases where OS or database access is obtained, please use only schema and versions to prove a vulnerability. Do not access data on disk or in tables (SQL Injection, LFI, etc) if possible.
Bans received while testing for issues will not be reversed.
This program does not allow disclosure. You may not release information about
vulnerabilities found in this program to the public.
You agree that any and all information, data or document of any kind regardless of form accessed by you within Ubisoft’s information systems or services of any kind or transmitted by Ubisoft shall be treated as strictly confidential.
This program requires explicit permission from Ubisoft to disclose any of Ubisoft’s information, including without limitation the results of a submission.
Ubisoft reserves the right to change or modify the terms of this program at any time without notification to you. Please check for any updates to this program before making a new submission.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the
researcher - along with the opportunity to appeal, and make a case for a higher priority.
- Identical issues across different production and non-production environment counterparts will be considered duplicates.
- Identical issues across different subdomains that share code will be considered duplicates.
- Issues already identified internally will be considered duplicates.
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email email@example.com. We will address your issue as soon as possible.