Pages:
Author

Topic: Crypto Gambling Sites and Bug/Exploit Reporting and Rewards. - page 2. (Read 247 times)

hero member
Activity: 1652
Merit: 518
OrangeFren.com
If the bugs aren't that serious or game-breaking, I doubt they'll ever put so much attention to it. There are other things that they need to put their attention to, and minor bugs aren't one of them. My take: leave minor bugs as is and exploit game-breaking ones before submitting it for review. At least, you already profited from it and you have demonstrated that the bug is too critical to be ignored.

The bug to the game is common one to the game,So Until the bug will be serious we no need to worry about the gambling site bugs.The minor bugs can’t be consider as the serious one,So we no need to worry on that.If you feel the bug is dangerous,you can report the same bug to the site owner.All the site as the features of rewarding the people who report the bugs and help the developing team.The also reward the bug reporting people based on the bug size.If the major bugs was reported the website will improve their performance based on our involvement.
full member
Activity: 2324
Merit: 175


This type of transparency will benefit everyone. Users will be more safe with extra testing. People who find exploits are less likely to exploit if they know they can be compensated for the find. The industry overall will benefit from this.

There's also a possibility that they have their own security team which is why they do not offer it or they have assurance from the seller of the script where they purchase the license of their script that guarantees the script from bugs and the seller updates or patch the script from time to time.
Casinos especially the small ones can easily lose the reputation that they are slowly building if there are loopholes in their script, They don't want their users to have second thoughts on their platform which is why they do not offer this they are confident that their script is bug-free based on the assurance coming from sellers of the script or their own teams.
hero member
Activity: 2996
Merit: 598
Leading Crypto Sports Betting & Casino Platform
Most sites related to money run bug bounty programs at the initial stages and also in case if there is still any bug that can be exploited surely the casino will reward the one who found and reported it.

Yes, that is the thing. Most of us would "ASSUME" that is the case, but for some reason more often than not that does not happen.

Then that is a big concern They should have ongoing bug bounty rewards and this should have a specific page dedicated to it this is to assure that the casino is dedicated to maintaining the security of their platform, I seldom see this in many casinos I'm playing they rely more on their terms and security of their platform from cheaters.

but could be that casinos have their own security team that tests the platform for vulnerability from time to time which is why they do not have a page for this, Casinos know their business and they know hacking and bug exploitation happens, it is for their welfare to address either openly by offering bug bounty rewards or hire security experts.
legendary
Activity: 3542
Merit: 1352
Cashback 15%
If the bugs aren't that serious or game-breaking, I doubt they'll ever put so much attention to it. There are other things that they need to put their attention to, and minor bugs aren't one of them. My take: leave minor bugs as is and exploit game-breaking ones before submitting it for review. At least, you already profited from it and you have demonstrated that the bug is too critical to be ignored.
hero member
Activity: 2184
Merit: 891
Leading Crypto Sports Betting and Casino Platform
I see how noble and awesome this may be. But since this means less profit to the gambling site, I don't think they would be so keen as to implement such a feature even if it means that this will drive more users into their casino. For one, it doesn't make sense for them to invest money on coders and bug-catchers when solving simple bugs within the site is as easy as refreshing the website, and automatically refunding the money/wager that the customer has made. Sure this is a huge bummer on the customer's end but at the very least this absolves them from the responsibility of solving these bugs. Another would be the fact that most of these casinos aren't accepting of other people touching their code base. It's so easy to fetch source codes nowadays that you can basically create a derivative of a centralized casino on your own. They knew this much and are afraid of the legal repercussions that they might get tied with if such a situation comes around. So, they just wing their bugs.
legendary
Activity: 1624
Merit: 1007
Most sites related to money run bug bounty programs at the initial stages and also in case if there is still any bug that can be exploited surely the casino will reward the one who found and reported it.

Yes, that is the thing. Most of us would "ASSUME" that is the case, but for some reason more often than not that does not happen.
sr. member
Activity: 2520
Merit: 280
Hire Bitcointalk Camp. Manager @ r7promotions.com
Most sites related to money run bug bounty programs at the initial stages and also in case if there is still any bug that can be exploited surely the casino will reward the one who found and reported it.

I am not sure on what basis you are saying one who reported bugs got $100 as a reward when the casino is ready to spend $5000 a week for promotion alone! Better give some examples to support what you are claiming and of course, it is not really tough for someone who is smart enough to run and find bugs will have a hard time contacting the dev/owner of the site.
legendary
Activity: 2660
Merit: 1261
Depends on the bugs, I don't think if the bug is critical they're going just to ignore it.

Most casinos will ignore a really minor bug. Unless your bug is a loophole in the customer data, accessing their fund, etc. If you think the bug is really affecting the service and they responding to what you have explained.

Another good things to do next, just exploited the bug and then contact them again. What you got, sometimes action is necesarry as long you already report it and they ignore you.
legendary
Activity: 1624
Merit: 1007
Ill start this off by saying that i do basic security testing as a hobby for exchanges and for casinos. And dealing with most crypto related casinos/exchanges frustrates me so much that it makes me want to quit regularily (and i do, i just come back after a while).

There are several casinos that fall into the categories below that are currently on Bitcointalk. Some even have active exploits that have not been fixed simply because the casino operator can not be asked to reply to the email they provided for such reports.

IF you operate an exchange/casino or any other service, especially if you deal with crypto/money or anything that has value. Please have a clear and easily accessable documentation/policy about bugs and exploits.

Currently what i see is:

1) Many exchanges and casinos just ignore the bug/exploit reports. They then fix them and pretend they did not even exist. OR they will tell you that they "knew" about it already. (but somehow still kept the casino running till the exact point where they were made aware of the exploit and then promptly taken offline). - IF THIS IS YOUR POLICY. Please state this clearly in your documentation.

2) Often Casinos and Exchanges treat critical issues as if they were minor or non-existent. A bug that can clearly drain ALL of your wallets gets a bounty of 50-100$. This just shows the lack of care for the safety of your users funds. Often these sites also delay the fixing of issues as usually the Dev who works on the site is either new or has been outsourced and only works on the site once a week or so.

3) Very rarely do i see sites that show actual appreciation for somneone finding the exploit and reporting it. Maybe 1 in 5 if lucky. Probably closer to 1 in 7.

Please. IF You operate a site that deals with user funds/gambling or know someone who does. Have them set up a documentation.

1) Let the user know how to report the bug/exploit or any issue found. - Make it easy to find, dont burry it deep into TOS
2) Give estimations or at least a rough idea what a bug might be worth to you. - Even if you dont reward users for it, that is fine aswell. Just state it clearly.
3) Respond to these types of issues in a timely manner. -  so often i wait for days on a critical report.

This type of transparency will benefit everyone. Users will be more safe with extra testing. People who find exploits are less likely to exploit if they know they can be compensated for the find. The industry overall will benefit from this.
Pages:
Jump to: