We value the work of security researchers and would like to invite anyone willing to spend time on helping Niantic improve security to give us their feedback. Niantic is committed to engaging with the security community and is thankful for your contributions!
In case you want to report a security related issue you have identified, be sure to review and follow our terms and conditions before sending us a report via the form linked at the bottom of the page.
Games and respective Backends
- Pokémon Go
- Harry Potter: Wizards Unite
- Ingress Prime
Specifically out of scope Vulnerability Types
- Information disclosures such as application and version banners, stack traces, server errors, internal IPs or path disclosures
- Brute force attacks involving username/password, account lockout, username/email enumeration (attacks that go beyond blindly testing may still be considered)
- Any physical attacks against Niantic Facilities or Property or employees
- Any social engineering attacks (e.g. phishing, email spoofing or self-XSS)
- Open redirects
- TLS/SSL issues
- Any exhaustion and disruptive attacks such as (Distributed) Denial of Service, request spamming, slow-loris, etc
- CSRF issues not impacting account integrity
- Cookie security (e.g. secure flag)
- Out-of-date or known-vulnerable software (high severity issues might still be considered depending on possible impact)
- Cheating incidents or issues around ingame exploits
Niantic will consider the maximum impact of the presented vulnerability. Reporters may be rewarded, at our discretion, based on the severity of found vulnerabilities.
Investigating and reporting
- Niantic will make reasonable efforts to investigate and resolve the reported issue within 90 days. However, in some cases Niantic may require more time, which we will communicate with you. Do not share any information about the report before Niantic has communicated the issue has been resolved.
- Do not alter any data you gain access to as a result of your investigation. As a rule of thumb, only attack your own accounts. Examples: user profile data other than your own, altering database entries or bucket contents.
- Avoid privacy violations and disruptions, including (but not limited to) impacting service quality via (D)DoS, deletion of data or accessing personal accounts (e.g. via phishing). You remain personally responsible for any privacy violations, disruptions, or any violations of applicable laws or regulations you commit while taking part in a security report.
- Do not try to exploit a vulnerability (e.g. do not try to gain access to a machine or pivot/scan from an already compromised one to demonstrate additional risk).
- Do not violate any other applicable laws or regulations.
You acknowledge that any report or information you provide to Niantic constitutes “Feedback” as defined in our Terms of Service, and you agree to said Terms of Service.
You acknowledge that providing a report and or any Feedback to us does not entitle you to any consideration, compensation, or reward of any kind.