Topic: How best to report vulnerabilities? - page 5. (Read 659 times)

Well if the bug isn't that serious, they will fix it the moment you mention it. That means you don't really deserve a reward for your discovery.

If the bug is a complex one, you need to find a way to describe the problem without giving them the important hints.

Maybe you warn them first and if they aren't interested in your proposal just use the exploit and give them a taste.

They will be all ears then.

I've known owlsgames to be one of the reputable gambling casinos on this forum and getting this brought in place as observed is another big concern, when we are talking about bugs I don't like anything to do with such casino found with that, but in this case since this is coming in from the first time let's not assume to the suspected situation and if be, there's this possibility that they were not aware of it and if they do i want to be rest assured they are also working on it because it will paint them black and red is they got nothing to defend themselves from it.

You can immediately report it to the casino if you find a bug in the casino. Regardless of whether there is a bounty for those who can find the bug or not, you don't need to think about it because what you are doing has helped the casino so that no one is cheating.

But the casino should provide a bonus for those who can find a bug as a sign of gratitude for the casino for that person for notifying a gap that can be abused.

And it's going back to the casinos because we just want to help them by finding those bugs. There are still many casinos that can appreciate the help of others and the casino can give gifts to people who find them.

I am tempted to tell you to make some money for your self since they care less about it, maybe doing this would indeed bring their attention to it, and maybe they would realize how severe the issue is..

But based on what i said above, and since they don't seem  to understand the gravity of what you are pointing out to them, i would advice that you exploit them through the bug, but don't spend the money, send the money gotten from the exploit back to them and ask them to reward you accordingly..
What i sense with them is that, they probably think you are one of those trolls looking for how to extort money from them, exploiting them through the bug(like i said before) will bring their attention to how severe the issue is and they will give you the attention you deserve.

You already have good intentions by informing the casino management team that there is a bug in the OwlGames casino. If the management team doesn't respond to you properly and instead they dispute your report, it's better for you to remain silent and let them work on their own rather than end up being disappointed yourself. for not being given a good response.
Very few gamblers care about this and instead they use it to play games that are experiencing bugs in order to win large amounts.
That's why I applaud what you have done because indirectly you want to help casinos that have a bug problem in one of the games in it.

That is some very bizarre behaviour from the casino and if they are encouraging you to use the bug then you can effectively create your own reward. The sad part is someone could be actively exploiting this right now and draining away active player funds if it is profitable like you suggest. It's not normal and most casinos would jump at the chance to plug any gaps for all sorts of reasons. Definitely a good idea to stay away as a player if it's true.

The way I view the OP statement was he reported that there is a bug in the game to the support but he didn't explain the full details after the support tell him that there's no bug bounty program to reward him. I guess the bug is still not fixed since OP will not gonna think to report it on the game provider if he already told it to Owl and they just didn't take action on it. I mean he can simply abused it if Owl knew the existence of the bug and didn't solve it.

I don't know about owlgames casino,I know about the bigger ones sure they may not offer a bug bounty to people finding bugs but they take such claims very seriously and pass the matter to their technical team to verify such claims.

If provided video evidence which for me would be the best,things can be taken more seriously from the casino mentioned here,they probably should take such claims much more seriously and their technical team should be upgraded as a minimum if it happens that the bug is true.I find that answer "enjoy the bug" really worrying about their behavior.

Well, the most important thing you did and reported a vulnerability that allows dishonest players to take advantage, I think Owl.games will contact this provider, well, or you can try to inform them too. In general, the well-known bug bounty program conducted such online casinos as Fortune Jack, Betcoin, Bitcasino, CakeBet, you can look at the current reward programs in the Public bug bounty program list https://www.bugcrowd.com/bug-bounty-list/

if there really is a bug in their game of course this should be a serious concern for them, but if indeed they feel it's not a bug I think you also need to provide complete evidence to give them confidence not just a screenshot or you can use it with another way to let them know, to my knowledge there aren't many casinos that provide bug bounties

This is what I think as well, I mean the OP found a bug and instead of keeping quiet about it and taking advantage of it they decided to alert the casino about the possible consequences of this bug for them.

But for some reason it seems the casino disregarded their report and at least for now it does not seem as if they will do anything to try to correct it, in my opinion the OP has already done enough and should not feel responsible at all if another gambler finds out the bug, takes advantage of it and the casino loses a huge amount of money as a result for their negligence.

Giving it to support should be fine. Anything else that happens outside of that, whether they take note of not shouldn't be your responsibility nor should you even mind it in the first place imo. Now if it was a bug bounty program then that's a different thing, but it isn't anyway.
I reckon it's to clarify things? I mean it's better to sooner tell someone that they don't have bounties for it than let them do it for nothing, could be a drop in rep if known after all. As for bug bounties, Casinos would probably tell their users, or at least have an ANN sort in their local forums (if it has one) or public social media if they ever have one. And as I've said before, anything after than that, whether they fix it, or "think" that they fixed it, or leave it alone, it's not your problem anymore.

I'm not a bug hunter but I think when you contact the support and want to explain the bug to them, it's better if you explain the possible losses if you taking advantage using the bug you found. I'm sure they will worried and want to fix it, so they will give you reward after you explain it and give a way to fix it.

It's shame how the casino didn't have bug bounty and didn't want to give small reward at least, although it's up to the casino since there's no agreement in this case.

Will you delete your paid signature and consider to wear any unpaid signature or charity signature campaign? it's really good to support humanity

You did your task mate. You didn’t exploit the bug, you reported it to the support team, so consider your work is done. If still now owlgames’s money gets drained out from their site, then they will be the only ones who will be responsible for this. Their immature behaviour and attitudes to such reports will surely land them into some trouble. I am really impressed by you OP that in this cruel world, where people are ready to do anything for making money, you thought about the site. Yes contacting the game service provider will be the ideal decision now.

Lol, that is so strange. I would tell you to post on their official ANN thread on this forum section, but it's just not possible, since it was locked on January 05, 2023 by the casino's moderator, as you can see below:

https://bitcointalksearch.org/topic/m.61549366

Their instruction is to make contact through the "24x7 support", but since you have already done that and was trolled by their reply, I really have no clue what else could be done. Did you try contacting the third party provider?

It seems they have been having issues with support anyway, since they locked the thread saying to be "re-arranging its strategies to offer the best support".

So I discovered a bug affecting a mode of play at OwlGames casinos that results in certain games rewarding more money than they should.  I tried to report it to OwlGames but was told that they have no bug bounty program and to "enjoy the bug" (not kidding).  (of course their docs say that any "exploit" can result in not being paid out, but it's not an exploit if it's simply how things run under the given conditions - not that that would stop them from screwing someone over I'm sure)

Their poor attitude certainly doesn't do much to make me want to help them out anymore although that was my intent. 

But since it is only certain games, from 1 provider, should I try to contact that provider instead?  It's possible I imagine that it's not just OwlGames that might possibly lose money to the issue, though I really don't know.

I guess since these are casinos, losing a couple hundred to a few players every few days that would otherwise not have won anything maybe is just a drop in the bucket.  But I found it so strange that they immediately just alerted me that they have no bounty program.  Aren't casinos supposed to be pretty protective of their money even if they have a ton of it? 

Anyone else have any experiences of trying to report issues like this?  I want to be rewarded for my time verifying the issue without taking advantage of it and alerting someone about it, too, so I'm also just worried about giving the info out and having them come up with some excuse like "oh it just needed a restart it's fine now, that's not a bug."