Author

Topic: Crypto Gambling Sites and Bug/Exploit Reporting and Rewards. (Read 247 times)

full member
Activity: 998
Merit: 157
I will not name names  but I have reported multiple exploitable line issues to different  sportsbook (very popular ones)  and have not  received any reward whatsoever.

They were usually bad lines i.e.  late odds or slow to  update live odds, they were pulled as soon as  i reported and i got a 'thanks'

Never did it again  Cheesy Sad
legendary
Activity: 2534
Merit: 1338
That's interesting but I think I still see a lot of websites who have a bug bounty or sometimes called a feedback reward which I think can work the same according to their description. Most of these sites are not really that well known and as for the ones who are already at the top, I think they already done a lot of upgrades and their system is already at a good condition. That may be the reason on why they don't offer a bug bounty anymore.

IDK if it was the OP but I saw a thread last time which the user said that the his bug reports are only being ignored by the casino. We are not sure if they do, or maybe they already take note of the message and fixed it, but the user must be compensated.
The sad part about all of this is that if casinos, exchanges and any other similar business that deal with cryptocurrencies listened to their users this could be avoided, however it is true that many of those entities choose to ignore bug reports, which allows some hackers to take advantage of those vulnerabilities, steal a lot of money and then claim a huge bounty they can keep legally, when the problem could have been resolved for a tenth of the price they will have to pay at that point to that hacker.
hero member
Activity: 2814
Merit: 618
Leading Crypto Sports Betting & Casino Platform
IDK if it was the OP but I saw a thread last time which the user said that the his bug reports are only being ignored by the casino. We are not sure if they do, or maybe they already take note of the message and fixed it, but the user must be compensated.

There can be a number of reasons why the gambling site may ignore any bug reported by the user. Because they have no clue how to fix that bug, they can ignore the site bug. Sometimes the gambling site won't even start a big bounty, because they do not want to make their shortcomings public or have no resources/skills to fix them.

Regarding the reward to the user who reported the bug, if he reported voluntarily, the gambling sites are not bound to pay him.
hero member
Activity: 1666
Merit: 709
Playbet.io - Crypto Casino and Sportsbook
Well you are right mate, many exchanges fail to check how strong they are against attacks like hacking and also many of the gambling platform don't do regular maintenance to prepare themselves or correct any bugs that may hinder the free flow of activities on the platform.

But the Truth is that the gambling platform and even exchange sector has many options for consumers to choose from, I think the users also has a part to play in all this, before selecting any gambling platform is best to do your own research, check how trusted and fair they are, check the rating on such platforms and the history (if there has been any attacks, bugs and how the platform has handled such situations).
legendary
Activity: 2044
Merit: 1075
Leading Crypto Sports Betting & Casino Platform
This type of transparency will benefit everyone. Users will be more safe with extra testing. People who find exploits are less likely to exploit if they know they can be compensated for the find. The industry overall will benefit from this.
Casinos and exchanges should have a bug bounty, one of the main reasons is they already have a dedicated team for this and the administrator is paying these people to fix bugs and patch and if they post that they have a bug bounty they will be targeted by hackers for exploits because hackers will think that they do not have an internal security to fix exploits.

Casinos and exchange especially the big one will only test for security flaws and bugs prior to their launching and from there they are going to monitor the script or theme for possible exploits so if there is a bug it will be fixed soon by their team or the casino will suffer from too many glitches because of failure to fix the bugs.
That's interesting but I think I still see a lot of websites who have a bug bounty or sometimes called a feedback reward which I think can work the same according to their description. Most of these sites are not really that well known and as for the ones who are already at the top, I think they already done a lot of upgrades and their system is already at a good condition. That may be the reason on why they don't offer a bug bounty anymore.

IDK if it was the OP but I saw a thread last time which the user said that the his bug reports are only being ignored by the casino. We are not sure if they do, or maybe they already take note of the message and fixed it, but the user must be compensated.
hero member
Activity: 2926
Merit: 640
If the bugs aren't that serious or game-breaking, I doubt they'll ever put so much attention to it. There are other things that they need to put their attention to, and minor bugs aren't one of them. My take: leave minor bugs as is and exploit game-breaking ones before submitting it for review. At least, you already profited from it and you have demonstrated that the bug is too critical to be ignored.
If you are already profiting from it, I don't think it will be easy for you to surrender the exploit but it's never too late to be a good guy. Maybe some will did it if they can't sleep peacefully at night. Small bugs are easy to spot and the ones that will report it in the hopes of getting a reward are the normal users.

I tried it actually and you are right. It seems the casino didn't care much about them because they just ignore my message. For those who have an exceptional skills in the IT field, they will always go for the major exploit because they know that the reward for them are huge and maybe they will exploit it first if they are a little greedy.
legendary
Activity: 3318
Merit: 1133
Leading Crypto Sports Betting & Casino Platform
That first one is true. Most of the time it will be the gamblers who will experience the bug after playing for a lonng time. When they report it to the mass chat and moderators will see it then they will say it is being attended, so it gives a freebie to the gambling site where they should be paying after that report. You are right about online gambling business taking care of it without any ruckus and it sucks for the one who saw the mistake because none will be gave to him and it will be fixed like nothing happened.

Imo, they should give more if one user finds it because it will lessen the payment unlike hiring a pro to keep on looking for erros while in the end they cannot even see it. .
hero member
Activity: 2996
Merit: 598
Leading Crypto Sports Betting & Casino Platform


Would you mind sharing with us the names of those "several casinos"? Perhaps a little bit of negative marketing would force the owners of those casinos to do something about it and solve the bugs/exploits.
I don't mind having a publicly available list of crypto casinos, that currently have bugs. Such list will definitely force the casino owners to improve their websites.

I don't think OP will not divulge the names of these casinos, they will just deny it and it will become a he said they said scenario, casinos don't want to be put in this kind of scenario where they have to defend themselves when it comes to security.
Website security is a serious thing casinos can easily lose their reputation and OP needs to back up his word if the bug is already fixed OP will be in a bad situation so let's just be aware that some casinos are like this, they do not want to put a bounty page, it's their prerogative after all.
hero member
Activity: 2912
Merit: 541
Leading Crypto Sports Betting & Casino Platform
It's normal for casinos not to immediately take care of or fix bugs in their system for days because the casino claims they already know about it and are making repairs. But whether they are still delaying the repair or fixing it immediately, we won't know. If the casino hasn't fixed the bug we reported, it means that they are taking security issues lightly, which should be a priority for the casino so they should immediately check it and fix the bug if their security team finds it. But I think there must always be alert casinos, especially if someone finds a bug in their system so they will immediately check and fix the bug so that other people can't use it.

It depends on the casino because if they think the bug is not too dangerous, maybe they can work on it slowly while looking for other bugs that might be more harmful to the casino. Apart from that, casinos also depend on the security team they have in checking for bugs. If the security team can fix the bug immediately, they will fix it immediately.
hero member
Activity: 2702
Merit: 672
I don't request loans~
~
That's just how businesses go. I've been in a small company once that used to hire 3rd party developers to create their programs. They used to pay upwards of thousands of dollars into them, and not just a one-time payment but as well as a monthly maintenance fee. When I first entered and looked at the quality of the system they made, I was honestly thinking why the hell are they still hiring these people, the system looks so outdated not to mention the tens to hundreds of bugs and reports that people who use the system keep reporting to use.

They also tend to downplay a lot of bugs since, well, a lot of people don't even manage to understand how it works so I think they think they can get away with it without any big rewards at all. At that instance where it's reported they can immediately tend to it after all so it isn't exploited, so they just downplay the services of this bug bounty services they offer.
legendary
Activity: 3416
Merit: 1225
This type of transparency will benefit everyone. Users will be more safe with extra testing. People who find exploits are less likely to exploit if they know they can be compensated for the find. The industry overall will benefit from this.

Casinos and exchanges should have a bug bounty, one of the main reasons is they already have a dedicated team for this and the administrator is paying these people to fix bugs and patch and if they post that they have a bug bounty they will be targeted by hackers for exploits because hackers will think that they do not have an internal security to fix exploits.

Casinos and exchange especially the big one will only test for security flaws and bugs prior to their launching and from there they are going to monitor the script or theme for possible exploits so if there is a bug it will be fixed soon by their team or the casino will suffer from too many glitches because of failure to fix the bugs.
hero member
Activity: 1652
Merit: 518
OrangeFren.com
My kind of person would go ahead and exploit the bug when I find it, and then report to the casino or exchange and be ready to return whatever funds I collected through the exploit, but this is after we much have negotiated and come to agreement on how much they will pay me as a bounty for my find.

Though I will only do this after like two or three experiences where I find a critical bug in a casino or exchange, and after reporting it and expecting them to reward me, they refuse claiming they already had known about it , or with the claim that the bug is not critical enough, it is commonly said in my place that "when a bird learns to fly without perching, the hunter will learn to shoot without missing".

So like I've said, If Ive had experience like above with two or three gambling casinos or exchanges, I will start exploiting any bug I find in a casino or exchange, then report to them after I have their funds in my custody, maybe this way, they will learn to appreciate honest bug bounty hunters.

The gambling sites was ready to spend huge money for the person who involved in the gambling now.The reason is by giving the gamblers loss by finding the error,the gamblers who doing the error finding in the website and reporting by seeing the welfare of the gamblers.Every new game will have some bug at the initial launch,some ethical hacker use this bug finding and win in the environment.If you play of three games in three different website and you had found three bugs in all three website.Then create a mail to the developer or owner of the project.You need to attach the bug details in screenshot to the gambling sites which had bugs.
legendary
Activity: 1624
Merit: 1007
My kind of person would go ahead and exploit the bug when I find it, and then report to the casino or exchange and be ready to return whatever funds I collected through the exploit, but this is after we much have negotiated and come to agreement on how much they will pay me as a bounty for my find.

Though I will only do this after like two or three experiences where I find a critical bug in a casino or exchange, and after reporting it and expecting them to reward me, they refuse claiming they already had known about it , or with the claim that the bug is not critical enough, it is commonly said in my place that "when a bird learns to fly without perching, the hunter will learn to shoot without missing".

So like I've said, If Ive had experience like above with two or three gambling casinos or exchanges, I will start exploiting any bug I find in a casino or exchange, then report to them after I have their funds in my custody, maybe this way, they will learn to appreciate honest bug bounty hunters.

While this is an options (and sometimes also necessary to a degree) i usually try to avoid solutions like that. The reason being that You also want to keep a level of professionalism so you dont scare away your potential customers. And it can also land you in some hot water legally speaking.
legendary
Activity: 2422
Merit: 1083
Leading Crypto Sports Betting & Casino Platform
My kind of person would go ahead and exploit the bug when I find it, and then report to the casino or exchange and be ready to return whatever funds I collected through the exploit, but this is after we much have negotiated and come to agreement on how much they will pay me as a bounty for my find.

Though I will only do this after like two or three experiences where I find a critical bug in a casino or exchange, and after reporting it and expecting them to reward me, they refuse claiming they already had known about it , or with the claim that the bug is not critical enough, it is commonly said in my place that "when a bird learns to fly without perching, the hunter will learn to shoot without missing".

So like I've said, If Ive had experience like above with two or three gambling casinos or exchanges, I will start exploiting any bug I find in a casino or exchange, then report to them after I have their funds in my custody, maybe this way, they will learn to appreciate honest bug bounty hunters.
hero member
Activity: 3150
Merit: 937
Quote
There are several casinos that fall into the categories below that are currently on Bitcointalk. Some even have active exploits that have not been fixed simply because the casino operator can not be asked to reply to the email they provided for such reports.

Would you mind sharing with us the names of those "several casinos"? Perhaps a little bit of negative marketing would force the owners of those casinos to do something about it and solve the bugs/exploits.
I don't mind having a publicly available list of crypto casinos, that currently have bugs. Such list will definitely force the casino owners to improve their websites. Waiting to get paid for finding bugs won't work. Most casino owners are stingy and most crypto casinos don't want to put some money aside for such purposes.
Many crypto casinos are using the same templates and gambling scripts. I am no expert in this field, but what is the chance all those casinos to have similar bugs?
sr. member
Activity: 1106
Merit: 391
Usually online casino platforms have teams that work on application development or they outsource it to other companies. The development of applications certainly requires a process and cannot be just developed and run at any time. There are stages where application development takes longer and if there is a bug that is not too disruptive to the service, usually the platform will note it and include it in the next stage of development. As long as the bug is not fatal and a danger to the service, usually it will be left until everything has been developed by the team.
However, it is true that the platform's appreciation for bug bounties is sometimes not commensurate with the bugs found and that is why many bug hunters prefer to exploit these bugs and sell them to hackers.
legendary
Activity: 1624
Merit: 1007
Ill start this off by saying that i do basic security testing as a hobby for exchanges and for casinos. And dealing with most crypto related casinos/exchanges frustrates me so much that it makes me want to quit regularily (and i do, i just come back after a while).

There are several casinos that fall into the categories below that are currently on Bitcointalk. Some even have active exploits that have not been fixed simply because the casino operator can not be asked to reply to the email they provided for such reports.

This is not just a problem with gambling sites, but there should definitely be proactiveness on the part of administrators in recognizing problems and resolving them more effectively, especially when we are dealing with other people's money.

Unfortunately, not only casinos, but many websites underestimate the service of honest people who encounter and report these problems.
In addition to resolving problems when reported, they should recognize the importance of whoever found the problem and reward them fairly, always looking at how much they could have asked for if the flaw had been exploited by someone with bad intentions.

This is exactly it. This is something that happens on many sites that deal with user funds, or with user data. How many times have we seen companies "loose" users data and act as if it is nothing. It just feels its especially prevelant in crypto circles.
legendary
Activity: 2352
Merit: 1121
☢️ alegotardo™️
Ill start this off by saying that i do basic security testing as a hobby for exchanges and for casinos. And dealing with most crypto related casinos/exchanges frustrates me so much that it makes me want to quit regularily (and i do, i just come back after a while).

There are several casinos that fall into the categories below that are currently on Bitcointalk. Some even have active exploits that have not been fixed simply because the casino operator can not be asked to reply to the email they provided for such reports.

This is not just a problem with gambling sites, but there should definitely be proactiveness on the part of administrators in recognizing problems and resolving them more effectively, especially when we are dealing with other people's money.

Unfortunately, not only casinos, but many websites underestimate the service of honest people who encounter and report these problems.
In addition to resolving problems when reported, they should recognize the importance of whoever found the problem and reward them fairly, always looking at how much they could have asked for if the flaw had been exploited by someone with bad intentions.
hero member
Activity: 1498
Merit: 547
Top Crypto Casino
Depends on the bugs, I don't think if the bug is critical they're going just to ignore it.

Most casinos will ignore a really minor bug. Unless your bug is a loophole in the customer data, accessing their fund, etc. If you think the bug is really affecting the service and they responding to what you have explained.

Another good things to do next, just exploited the bug and then contact them again. What you got, sometimes action is necessary as long you already report it and they ignore you.
Majority of bugs that are reported are usually are taken into account by most casinos whether it be a minor or a major bug however it varies depending on how these bug affects it's user and the casino on whether they proceed with an action.

I've seen minor bugs on different gambling platforms here that has been there ever since and a known bug but since it doesn't affect much the casino, no action has taken into account.

Still, there's just some gambling sites out that doesn't really care much until they get affected or multiple reports has been raised and publicized.
legendary
Activity: 3542
Merit: 1352
Cashback 15%
If the bugs aren't that serious or game-breaking, I doubt they'll ever put so much attention to it. There are other things that they need to put their attention to, and minor bugs aren't one of them. My take: leave minor bugs as is and exploit game-breaking ones before submitting it for review. At least, you already profited from it and you have demonstrated that the bug is too critical to be ignored.

The bug to the game is common one to the game,So Until the bug will be serious we no need to worry about the gambling site bugs.The minor bugs can’t be consider as the serious one,So we no need to worry on that.If you feel the bug is dangerous,you can report the same bug to the site owner.All the site as the features of rewarding the people who report the bugs and help the developing team.The also reward the bug reporting people based on the bug size.If the major bugs was reported the website will improve their performance based on our involvement.

Though there could be minor bugs out there that could potentially lead to a critical one if left unchecked, or if it could be exploited even further to huge bigger problems. There are some bugs that act as if they are benign initially, but becomes devastating once discovered that it's connected to other parts of the game or platform. Pretty sure that the casino will have their eyes and ears on those minor bugs, though not as intently as what they give to the bigger ones.
hero member
Activity: 1652
Merit: 518
OrangeFren.com
If the bugs aren't that serious or game-breaking, I doubt they'll ever put so much attention to it. There are other things that they need to put their attention to, and minor bugs aren't one of them. My take: leave minor bugs as is and exploit game-breaking ones before submitting it for review. At least, you already profited from it and you have demonstrated that the bug is too critical to be ignored.

The bug to the game is common one to the game,So Until the bug will be serious we no need to worry about the gambling site bugs.The minor bugs can’t be consider as the serious one,So we no need to worry on that.If you feel the bug is dangerous,you can report the same bug to the site owner.All the site as the features of rewarding the people who report the bugs and help the developing team.The also reward the bug reporting people based on the bug size.If the major bugs was reported the website will improve their performance based on our involvement.
full member
Activity: 2324
Merit: 175


This type of transparency will benefit everyone. Users will be more safe with extra testing. People who find exploits are less likely to exploit if they know they can be compensated for the find. The industry overall will benefit from this.

There's also a possibility that they have their own security team which is why they do not offer it or they have assurance from the seller of the script where they purchase the license of their script that guarantees the script from bugs and the seller updates or patch the script from time to time.
Casinos especially the small ones can easily lose the reputation that they are slowly building if there are loopholes in their script, They don't want their users to have second thoughts on their platform which is why they do not offer this they are confident that their script is bug-free based on the assurance coming from sellers of the script or their own teams.
hero member
Activity: 2996
Merit: 598
Leading Crypto Sports Betting & Casino Platform
Most sites related to money run bug bounty programs at the initial stages and also in case if there is still any bug that can be exploited surely the casino will reward the one who found and reported it.

Yes, that is the thing. Most of us would "ASSUME" that is the case, but for some reason more often than not that does not happen.

Then that is a big concern They should have ongoing bug bounty rewards and this should have a specific page dedicated to it this is to assure that the casino is dedicated to maintaining the security of their platform, I seldom see this in many casinos I'm playing they rely more on their terms and security of their platform from cheaters.

but could be that casinos have their own security team that tests the platform for vulnerability from time to time which is why they do not have a page for this, Casinos know their business and they know hacking and bug exploitation happens, it is for their welfare to address either openly by offering bug bounty rewards or hire security experts.
legendary
Activity: 3542
Merit: 1352
Cashback 15%
If the bugs aren't that serious or game-breaking, I doubt they'll ever put so much attention to it. There are other things that they need to put their attention to, and minor bugs aren't one of them. My take: leave minor bugs as is and exploit game-breaking ones before submitting it for review. At least, you already profited from it and you have demonstrated that the bug is too critical to be ignored.
hero member
Activity: 2184
Merit: 891
Leading Crypto Sports Betting and Casino Platform
I see how noble and awesome this may be. But since this means less profit to the gambling site, I don't think they would be so keen as to implement such a feature even if it means that this will drive more users into their casino. For one, it doesn't make sense for them to invest money on coders and bug-catchers when solving simple bugs within the site is as easy as refreshing the website, and automatically refunding the money/wager that the customer has made. Sure this is a huge bummer on the customer's end but at the very least this absolves them from the responsibility of solving these bugs. Another would be the fact that most of these casinos aren't accepting of other people touching their code base. It's so easy to fetch source codes nowadays that you can basically create a derivative of a centralized casino on your own. They knew this much and are afraid of the legal repercussions that they might get tied with if such a situation comes around. So, they just wing their bugs.
legendary
Activity: 1624
Merit: 1007
Most sites related to money run bug bounty programs at the initial stages and also in case if there is still any bug that can be exploited surely the casino will reward the one who found and reported it.

Yes, that is the thing. Most of us would "ASSUME" that is the case, but for some reason more often than not that does not happen.
sr. member
Activity: 2520
Merit: 280
Hire Bitcointalk Camp. Manager @ r7promotions.com
Most sites related to money run bug bounty programs at the initial stages and also in case if there is still any bug that can be exploited surely the casino will reward the one who found and reported it.

I am not sure on what basis you are saying one who reported bugs got $100 as a reward when the casino is ready to spend $5000 a week for promotion alone! Better give some examples to support what you are claiming and of course, it is not really tough for someone who is smart enough to run and find bugs will have a hard time contacting the dev/owner of the site.
legendary
Activity: 2660
Merit: 1261
Depends on the bugs, I don't think if the bug is critical they're going just to ignore it.

Most casinos will ignore a really minor bug. Unless your bug is a loophole in the customer data, accessing their fund, etc. If you think the bug is really affecting the service and they responding to what you have explained.

Another good things to do next, just exploited the bug and then contact them again. What you got, sometimes action is necesarry as long you already report it and they ignore you.
legendary
Activity: 1624
Merit: 1007
Ill start this off by saying that i do basic security testing as a hobby for exchanges and for casinos. And dealing with most crypto related casinos/exchanges frustrates me so much that it makes me want to quit regularily (and i do, i just come back after a while).

There are several casinos that fall into the categories below that are currently on Bitcointalk. Some even have active exploits that have not been fixed simply because the casino operator can not be asked to reply to the email they provided for such reports.

IF you operate an exchange/casino or any other service, especially if you deal with crypto/money or anything that has value. Please have a clear and easily accessable documentation/policy about bugs and exploits.

Currently what i see is:

1) Many exchanges and casinos just ignore the bug/exploit reports. They then fix them and pretend they did not even exist. OR they will tell you that they "knew" about it already. (but somehow still kept the casino running till the exact point where they were made aware of the exploit and then promptly taken offline). - IF THIS IS YOUR POLICY. Please state this clearly in your documentation.

2) Often Casinos and Exchanges treat critical issues as if they were minor or non-existent. A bug that can clearly drain ALL of your wallets gets a bounty of 50-100$. This just shows the lack of care for the safety of your users funds. Often these sites also delay the fixing of issues as usually the Dev who works on the site is either new or has been outsourced and only works on the site once a week or so.

3) Very rarely do i see sites that show actual appreciation for somneone finding the exploit and reporting it. Maybe 1 in 5 if lucky. Probably closer to 1 in 7.

Please. IF You operate a site that deals with user funds/gambling or know someone who does. Have them set up a documentation.

1) Let the user know how to report the bug/exploit or any issue found. - Make it easy to find, dont burry it deep into TOS
2) Give estimations or at least a rough idea what a bug might be worth to you. - Even if you dont reward users for it, that is fine aswell. Just state it clearly.
3) Respond to these types of issues in a timely manner. -  so often i wait for days on a critical report.

This type of transparency will benefit everyone. Users will be more safe with extra testing. People who find exploits are less likely to exploit if they know they can be compensated for the find. The industry overall will benefit from this.
Jump to: