Riot Games new tactical shooter - Valorant - has, in my ways, been an unmitigated success. Millions are attempted to gain access to the closed beta by watching Twitch streams, and the reception from the gaming community has been resoundingly positive. But one thing that has been an issue, and could be a sticking point for many gamers is the anti-cheat system, dubbed Vanguard, that Riot have used in their latest title.
The issue stems from the fact that Vanguard works at the very base level of your computer - the kernel level - and without getting too technical few other anti-cheats employ such an intrusive method to stop cheating. That coupled with Riot being wholly owned by the Chinese technology company, Tencent, which has boasted about its strong cooperation with Chinese authorities and you have many gamers asking if the ends truly justify the means.
In a blog post that attempts to address gamers concerns while announcing the bounty program, Riot has said they understand the decision to use a kernel-mode driver can "raise concerns" they reiterate that "Vanguard was built with security and privacy at its heart".
To help assuage privacy fears they are expanding their BugBounty program on HackerOne to include a section specifically on Vanguard. Hackers will be awarded money, starting from $25,000 for managing to gain "unauthorized access to sensitive data" to $100,000 for being able to "code execution on the kernel level".
To be awarded the bounty payout a hacker must find an exploit that doesn't involve social engineering or tinkering with hardware and meets these criteria:
- The exploit works on the latest version of Vanguard
- You must provide a working proof of concept for the exploit that can be run by Riot Games along with a detailed report
- The exploit hasn’t been shared elsewhere before
- The findings are not disclosed outside of this program without the explicit approval of Riot Games
For further details, refer to the HackerOne Vanguard page.
Riot has also stated they are prepared to remove the Vanguard anti-cheat if a serious security breach is ever discovered, speaking in an article on ARS Technica, Riot's anti-cheat lead Paul Chamberlain said: "In extreme cases, we would work with our patcher team to automatically remove Vanguard from all players' computers. After we had pushed a fix or removed the driver, we would work with Microsoft to get the vulnerable driver blacklisted."
Whether this ultimately ends the concerns of the player base is yet to be seen, in a Reddit post on r/PCGaming, the response was largely negative.
Riot is not the only game company to run a bug finding program to test the vulnerabilities of their anti-cheat. Valve, creators of Half-Life, Counter-Strike and a number of other franchises have given out $5,000,000 in bounties since they have ran a similar program.