Skip to main content

Riot trust Valorant's anti-cheat so much, they'll pay big bucks for exposing flaws

High-stakes Bounty Hunting

For Valorant, Riot's new Counter-Strike-with-Superpowers FPS, regular anti-cheat was never gonna cut it. From the beginning, they've been flaunting the shooter's technical guts - 128-tick servers, flawless ping, and an anti-cheat system that makes it "impossible for a player to cheat in game-defying ways". But that level of protection comes with a level of access that's raised a fair few concerns.

In an attempt to reassure fans, Riot are awarding up to £80,000 to anyone who manages to use Valorant's anti-cheat for ill-will.

Over the last week or so, Valorant's new "Vanguard" anti-cheat system has come under fire for its alleged invasiveness. I'm not much of a tech buff, but from what I understand, one of Vanguard's component is a kernel-level (or Ring 0) driver that runs at start-up, with full administrator privileges. It can be removed, sure, but Valorant won't run without it. This, naturally, raised concerns that Riot are giving themselves unwarranted access to your machine's deepest, darkest systems.

In a somewhat technical post outlining Vanguard's operation, Riot explains that they need this level of access to get ahead of cheating scripts that run on the same level - largely undetectable by client-level anti-cheat systems. Granted, Riot are also quick to remind that systems like BattleEye and EasyAntiCheat use similar tactics - Vanguard is simply doing the legwork of getting in before the cheats do.

Besides, Riot claim Vanguard "isn’t giving us any surveillance capability we didn’t already have". In their own words, "if we cared about grandma’s secret recipe for the perfect Christmas casserole, we’d find no issue in obtaining it strictly from user-mode and then selling it to The Food Network". Thanks, I guess?

Even if Riot don't intend on hijacking your PC, there's always the fear that more malicious actors could piggyback off of Vanguard. Yesterday, Riot opened up a bug bounty on HackerOne, offering increasingly lofty sums for vulnerabilities discovered in their anti-cheat system (via Kotaku).

These start high, and only get higher. Accessing admin-level privileges on a local guest account might net you $25,000 (a little over £20,000). But if you're aiming for the big bucks, you'll be trying to find ways to execute your own kernel-level code on a target machine without alerting the system's user. For that, Riot are paying out a hefty $100,000 (roughly £80,777).

Riot have historically used bug bounties to hunt for vulnerabilities, but these rewards are unusually massive. Similar operations from Nintendo and Rockstar, for example, cap out at about $10,000-20,000.

Unfortunately, it wasn't ever going to be long before the cheater vs anti-cheat arms race kicked off. Last week, Riot announced they'd had to start dishing out bans, on top of all the key-resellers and bot accounts flooding the closed beta.

Read this next