Bug Bounties

Epic Games

Powered by: 

Allows bounty splitting: 

Average time to first program response: 4

Average time to bounty awarded null: 218

Average time to report resolved: 2095

Handle epicgames

Managed program: true

Name: Epic Games

Offers bounties: true

Offers swag: true

Response efficiency percentage: 94

Submission state: open

Url: https://hackerone.com/epicgames

Website: https://epicgames.com

In scope:

  • Asset identifier: *.3lateral.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: ***Note:*** This asset may contain endpoints not hosted by Epic Games (third party endpoints). These third party endpoints are not eligible for bounty. Please take note of the infrastructure you are assessing, if the endpoint is not hosted on AWS and/or the ASN is not associated with Epic Games then it is most likely not hosted by Epic Games. If you are unsure whether or not an asset is considered third party please submit a preliminary finding for confirmation.
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.amplitude-game.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.artstation.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: ***Note:*** This asset may contain endpoints not hosted by Epic Games (third party endpoints). These third party endpoints are not eligible for bounty. Please take note of the infrastructure you are assessing, if the endpoint is not hosted on AWS and/or the ASN is not associated with Epic Games then it is most likely not hosted by Epic Games. If you are unsure whether or not an asset is considered third party please submit a preliminary finding for confirmation.
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.audicagame.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.bandcamp.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Make sure to follow Bandcamp’s terms of use and copyright policies to avoid your content from being removed or even face bans.
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: *.bcbits.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.cubicmotion.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: ***Note:*** This asset may contain endpoints not hosted by Epic Games (third party endpoints). These third party endpoints are not eligible for bounty. Please take note of the infrastructure you are assessing, if the endpoint is not hosted on AWS and/or the ASN is not associated with Epic Games then it is most likely not hosted by Epic Games. If you are unsure whether or not an asset is considered third party please submit a preliminary finding for confirmation.
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.dancecentral.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.dropmix.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.easy.ac
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: ***Note:*** This asset may contain endpoints not hosted by Epic Games (third party endpoints). These third party endpoints are not eligible for bounty. Please take note of the infrastructure you are assessing, if the endpoint is not hosted on AWS and/or the ASN is not associated with Epic Games then it is most likely not hosted by Epic Games. If you are unsure whether or not an asset is considered third party please submit a preliminary finding for confirmation.
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.epicgames.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: ***Note:*** This asset may contain endpoints not hosted by Epic Games (third party endpoints). These third party endpoints are not eligible for bounty. Please take note of the infrastructure you are assessing, if the endpoint is not hosted on AWS and/or the ASN is not associated with Epic Games then it is most likely not hosted by Epic Games. If you are unsure whether or not an asset is considered third party please submit a preliminary finding for confirmation.
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.epicgames.dev
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: ***Note:*** This asset may contain endpoints not hosted by Epic Games (third party endpoints). These third party endpoints are not eligible for bounty. Please take note of the infrastructure you are assessing, if the endpoint is not hosted on AWS and/or the ASN is not associated with Epic Games then it is most likely not hosted by Epic Games. If you are unsure whether or not an asset is considered third party please submit a preliminary finding for confirmation.
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.fallguys.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: ***Note:*** This asset may contain endpoints not hosted by Epic Games (third party endpoints). These third party endpoints are not eligible for bounty. Please take note of the infrastructure you are assessing, if the endpoint is not hosted on AWS and/or the ASN is not associated with Epic Games then it is most likely not hosted by Epic Games. If you are unsure whether or not an asset is considered third party please submit a preliminary finding for confirmation.
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.fortnite.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: ***Note:*** This asset may contain endpoints not hosted by Epic Games (third party endpoints). These third party endpoints are not eligible for bounty. Please take note of the infrastructure you are assessing, if the endpoint is not hosted on AWS and/or the ASN is not associated with Epic Games then it is most likely not hosted by Epic Games. If you are unsure whether or not an asset is considered third party please submit a preliminary finding for confirmation.
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.harmonixmusic.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.hmxservices.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.hmxwebservices.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.jellychat.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: *.mediatonic.co.uk
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.oncatapult.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: ***Note:*** This asset may contain endpoints not hosted by Epic Games (third party endpoints). These third party endpoints are not eligible for bounty. Please take note of the infrastructure you are assessing, if the endpoint is not hosted on AWS and/or the ASN is not associated with Epic Games then it is most likely not hosted by Epic Games. If you are unsure whether or not an asset is considered third party please submit a preliminary finding for confirmation.
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.popjam.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.psynet.gg
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: ***Note:*** This asset may contain endpoints not hosted by Epic Games (third party endpoints). These third party endpoints are not eligible for bounty. Please take note of the infrastructure you are assessing, if the endpoint is not hosted on AWS and/or the ASN is not associated with Epic Games then it is most likely not hosted by Epic Games. If you are unsure whether or not an asset is considered third party please submit a preliminary finding for confirmation.
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: *.psyonix.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: ***Note:*** This asset may contain endpoints not hosted by Epic Games (third party endpoints). These third party endpoints are not eligible for bounty. Please take note of the infrastructure you are assessing, if the endpoint is not hosted on AWS and/or the ASN is not associated with Epic Games then it is most likely not hosted by Epic Games. If you are unsure whether or not an asset is considered third party please submit a preliminary finding for confirmation.
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.quixel.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: When assessing Quixel models and/or posts you may only test findings on your own created content. Do not test on any posts or content you did not create. When completed please delete any posts/comments as to not pollute pages. Please review the program policy for further information.
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.rockbandvr.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.rocketleague.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: ***Note:*** This asset may contain endpoints not hosted by Epic Games (third party endpoints). These third party endpoints are not eligible for bounty. Please take note of the infrastructure you are assessing, if the endpoint is not hosted on AWS and/or the ASN is not associated with Epic Games then it is most likely not hosted by Epic Games. If you are unsure whether or not an asset is considered third party please submit a preliminary finding for confirmation. **==The white hat is no longer offered as a reward for Rocket League findings.==**
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: *.rukkaz.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Only Critical submissions are accepted
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.singspacegame.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.sketchfab.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: When assessing Sketchfab models and/or posts you may only test findings on your own created content. Do not test on any posts or content you did not create. When completed please delete any posts/comments as to not pollute pages. Please review the program policy for further information.
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.superawesome.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.superawesome.tv
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.unrealengine.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: ***Note:*** This asset may contain endpoints not hosted by Epic Games (third party endpoints). These third party endpoints are not eligible for bounty. Please take note of the infrastructure you are assessing, if the endpoint is not hosted on AWS and/or the ASN is not associated with Epic Games then it is most likely not hosted by Epic Games. If you are unsure whether or not an asset is considered third party please submit a preliminary finding for confirmation.
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: *.unrealtournament.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: ***Note:*** This asset may contain endpoints not hosted by Epic Games (third party endpoints). These third party endpoints are not eligible for bounty. Please take note of the infrastructure you are assessing, if the endpoint is not hosted on AWS and/or the ASN is not associated with Epic Games then it is most likely not hosted by Epic Games. If you are unsure whether or not an asset is considered third party please submit a preliminary finding for confirmation.
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: Any other Epic games owned asset not listed in the out of scope section
  • Asset type: OTHER
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Note: Acceptance of findings of this type are at the discretion of the Epic Games team.
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: EOS C# SDK
  • Asset type: DOWNLOADABLE_EXECUTABLES
  • Availability requirement: none
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: [C# SDK] (https://dev.epicgames.com/portal/api/v2/services/sdk/download/?sdkType=c_sharp)
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: FortniteClient-Android-Shipping-arm64-es2.apk
  • Asset type: OTHER_APK
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: FortniteClient-Win64-Shipping.exe
  • Asset type: DOWNLOADABLE_EXECUTABLES
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: FortniteLauncher-Win64-Shipping.exe
  • Asset type: DOWNLOADABLE_EXECUTABLES
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: FortniteLauncher-Win64-Shipping_BE.exe
  • Asset type: DOWNLOADABLE_EXECUTABLES
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: FortniteLauncher-Win64-Shipping_EAC.exe
  • Asset type: DOWNLOADABLE_EXECUTABLES
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: FortniteLauncher.exe
  • Asset type: DOWNLOADABLE_EXECUTABLES
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: forum.sketchfab.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: This is generally considered out of scope. We may accept submissions for this asset only if the finding is highly critical. Examples of severe findings: - Personal Data Exposure - Data Integrity Issues - RCE
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: help.sketchfab.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: This is generally considered out of scope. We may accept submissions for this asset only if the finding is highly critical. Examples of severe findings: - Personal Data Exposure - Data Integrity Issues - RCE
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: isitbandcampfriday.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: metahuman.unrealengine.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: This is an API Base, please also see the following list of endpoints GET: /health-check GET: /metrics GET: /api/v1/getClientSession GET: /api/v1/getQueuePosition GET: /api/v1/get-eula POST: /api/v1/accept-eula
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: ps3-meta.rockband.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: twinmotion.unrealengine.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: This is an API Base, please also see the following list of endpoints GET: /health-check GET: /metrics GET: /logout GET: /api/drive/account GET: /api/drive/presentations POST: /api/drive/rename_presentation POST: /api/drive/delete_presentation POST: /api/drive/share_presentation POST: /api/drive/unshare_presentation POST: /api/drive/create_session POST: /api/drive/user_position POST: /api/public/create_session POST: /api/public/user_position POST: /api/public/presentation
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: www.rockband4.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: high
  • Max severity: critical