Topic: Rollbit Bug Bounty Payout - RESOLVED (Read 287 times)

Hi Razer, thanks for taking the time to look over and address my concerns.

Apologies in advance for the long read, I just want to provide proper context to whomever reads this.

Keep in mind, I really didn't even want to post this because I enjoy Rollbit. I think it's great what you've accomplished thus far and I see a lot more potential in it. When I see potential in something, I want to see it grow as big and as best as it can be. I've no problem with you, Razer—so, don't take this personally. Instead, consider it constructive criticism.

It's a shame that you view me as somebody who wants to do harm, because I have shown I am not here to do harm in many different ways. I reported every single one of my findings despite me losing tens of thousands of dollars. As a member, I felt disrespected and treated unfairly on multiple occasions by your team which is why I closed my account. I think it's important to address that if certain individuals had done their job correctly, this thread would have never existed.

Allow me to explain...

First Incident:
Around November 10th, I made your team aware of the security concern in the shoutbox and I was told it would be looked into and that someone would reach out. This lead me to assume that my report was recognized at the very least. I was never contacted and no action was taken. On November 17th, I reported it again in the Discord server that way more team members would be made aware. The response to my claim was a Pepe emoji which I assume implied that I was bullshitting. I explained that I was unable to replicate it and show proof because I was broke, so I mentioned to look at my recent bets which could have shown evidence. You're correct to say I didn't go through the proper channels by reporting it directly to you, but I still reported it a couple of times to multiple members of your team and they apparently did nothing about it. I would have reported it to you, but I didn't want to be seen as The Boy Who Cried Wolf because the first bug I reported before this incident turned out to be nothing.

Three days later on November 20th, I noticed that the entire gaming provider was removed from the website. So, I reached out to you at first in hopes of at least receiving recognition so that I could work for or with Rollbit in the future. It made me pretty upset when the first thing that you said to me was: "Keep in mind, for reported concerns like above we pay generous bounties. Obviously we cannot pay such rewards once the damage is already done and we find the issue during our own investigation." because I initially never asked for compensation. I thought about your response and how you claimed to find the issue during your own investigation, which I find odd because I did report this multiple times. It felt as if I was being taunted, especially after reporting the security concern multiple times only to receive a Pepe emoji as a response. I hope you're able to understand my frustration there.

Based on my own experience, it's common to be paid for a bug bounty even if it has been abused already. I've potentially saved companies millions in damages by reporting something that was being abused and still got paid.

As for the Rollercoaster thing; of course I'm going to say it's rigged and be pissed off, I was being a degen who was using the 1000x multiplier. Everybody says it's rigged, it's almost as if it's a meme at this point. Just to be clear though, I never used the word "nigga" as a derogatory statement. I call people I am cool with "my nigga". I was however silenced from the Discord server for going off about how I wasn't paid for the exploit after I had lost a significant amount of money, which is what I was referring to when being silenced.


Second Incident:
My frustration has more to do with the people at Stake being lazy and incompetent. I told them how to reproduce it with detailed instructions. Instead of testing the bug, they took preliminary checks to see if the slots I mentioned were being abused. One of those checks was apparently contacting somebody at Rollbit and inquiring about the bug. This again left me without being compensated for a bug capable of causing serious damage.


Ongoing Incident:
I never gave much details in regards to this since it was ongoing. But, now that you've mentioned it, I will.

I reported this incident in the Discord and directly told your team. I didn't even ask for compensation or anything and I noticed that your team had again done nothing about it. So, I took action and registered the domain because I know what could of happened had I not. I go to officially report it to you and you essentially tell me thanks and to fuck off. I was then pawned off to like three different support agents after I asked if I would be compensated since it is a valid security concern and could have damaged Rollbit's reputation and users. I was told no, which prompted me to remember all of the other times I've been treated unfairly and caused me to close my account.

The next day you reached out and said that you deposited funds on my account which I had asked to be closed the day before. Before making assumptions, I asked if the funds be redirected elsewhere or that my account would be re-opened since I only closed my account because I felt as if was treated unfairly. I was of course again denied and told that it wasn't possible when it most certainly is. Similar to the first incident, I saw this as being taunted since you knew that my account was closed and probably the reason why I closed it too. Had you asked for my off-site address and given me your Namecheap username or unbanned me, I wouldn't have even felt the need to make this thread. I'm not holding the domain ransom, I just prefer to be compensated first considering my previous experiences—most of which I haven't even mentioned. I've been wronged many other times than these three incidents.

How can you question my intentions when I have literally spent hundreds of hours on Rollbit, wagered hundreds of thousands of dollars, lost tens of thousands of dollars, reported multiple bugs that I could have abused, made suggestions which have been implemented, offered members advice on how to grow their clipping accounts, helped members with various other things, etc.

Again, I wish I didn't have to make this thread, but being wronged so many different times after giving so much to Rollbit is extremely unsettling to me.

Hey devout,

Thanks for posting this. I'll respond to each point accordingly.

First Incident:

By your own admissions in the shared screenshots, you failed to report any bug and failed to replicate what was effectively a theory at the time.

As with all commercial bug bounty programs, there could only be some form of compensation if 1) the bug was reported in a responsible manner, 2) the bug could be reproduced, 3) the bug has security impact for users and/or the business.

While we prefer bugs to be reported directly via support, if for example you DM'd me a reproducible bug we would of course make an exception.



However, the fact remains that you didn't have a bug to report in the first place. You instead wanted to report an observation.

Such observations occur on a daily basis via mediums such as our site chat. Looking at your chat logs, you've claimed our provably fair Rollercoaster game is "rigged" several times.

We of course did not investigate Rollercoaster every single time you made this claim, as we're confident in the fairness of the game.

I double checked your on-site chat activity and confirmed no technical details about a bug were ever shared.

You went on to be muted from our site chat for the following messages in December:

> fucking rigged piece of shit
> nigga stfu

For your claims that happened after any bug incident occurred (when you spoke to me directly), we of course will not pay for an already exploited and fixed issue. The same for any other bug bounty program.

Second Incident (related to the first):

I believe this section only supports my comments above.

Stake allegedly (I'm not privy to what communication this was) reached out to us and we confirmed no issues. Stake were also unable to reproduce the suspected issue.

Cleary nothing technical was supplied to be able to reproduce the suspected issue.

Ongoing Incident:

This incident relates to yourself wanting to report an incorrectly listed email address, specifically a typo within the listed email address.

An issue like this could certainly have security impact. However, the email you were reporting to us belonged to and was managed by a third-party.

The issue was not located on our servers, nor did it pertain to any service we offer.

However, we still made a conscious effort to pass the issue onto the affected party, who have since addressed it.

The typo was in the domain part of the email address, which was available to register.

When you initially reported this to us the domain was still available to register. We escalated this to the third-party around this time.

However, shortly after this you suggested you registered the domain name. The third-party made us aware of this (as we had the open line of communication with yourself).

I now understand in their efforts to secure the domain from you, you essentially held the domain to ransom.

With all that said and despite there being no action required from Rollbit's end, on February 13th we issued devout's account a $1,000 bonus. This can be claimed when their self-exclusion expires.

This bonus was solely issued as we wanted to encourage their behaviour of reporting issues to us, a good-intentions reward if you like. While the email issue wasn't on our end, it was with a third-party we work closely with.

You can update the status on this one as it's no longer an ongoing incident for us.

Conclusion:

The idea that you posted this in 'Scam Accusations' is absurd. It calls into questions your intentions, they're clearly not that of someone who truly wants to do a good deed.

Rollbit's bug bounty program continues to pay generous bounties to anyone who reports a technical bug that degrades our user or systems security.

To date we've paid out many folks via this program. All after they provided us technical details about a security bug that were reproducible and addressed based on their report.

If someone has a truly serious issue that they'd like to report to us, please do so via our support team immediately.

The biggest problem here is not with the self-exclusion. The biggest problem is that I never got paid for my first exploit that I found and reported in November and that Rollbit lied to Stake about the exploit existing. I was given some bullshit excuse, which you can see below.

Razer admits that they won't pay me out because "damage was already done" and they apparently "found it during their own investigation". If they had found out about it in their own investigation before the multiple times I reported it to them, then why did it take them over 10 days to take action? The incompetency of their team for not taking action isn't my fault, it's theirs. I still did my part and reported it, expecting a payout.

The exploit was so bad that they removed the entire gaming provider from their platform. So, I am now not paid for finding an exploit that was costing them a lot of money. If I hadn't reported it, how long would it take for them to find it? How much money would they have lost?

https://i.imgur.com/S1UPHtD.png

On top of that, I went to Stake to report it to them. For some reason Stake thought it was a good idea to instead of replicating the exploit I found, consult ROLLBIT (their competitor) and ask if it was even a valid exploit. The result? Rollbit lied to Stake when asked about the exploit. I even showed my email correspondence with Razer that completely suggests otherwise. Therefore, Stake never even looked into the exploit which again fucked me over because I didn't get paid out for it.


This whole self-exclusion thing has to do with my most recent findings which happened this month. As I mentioned, it's quite obvious (due to my history with the Rollbit Team treating me unfairly) that they intentionally put the funds on a locked account. Razer can definitely see that my account was closed prior to adding funds to it. They are just using my account closure to buy themselves time to maybe fix the problem because, remember, I have leverage. I can almost guarantee you that they will find a reason to close my account to make sure I don't get access to the funds when the self-exclusion is up. They've been petty with me so many times in the past.

I see. Thank you for giving more details of the account closure. I am not sure I am correct, but the way I see and understand it, I think you unintentionally [as you never intended to undergo an exclusion] submitted a self-exclusion. According to their ToS and Responsible Gaming pages, if you wish to terminate your account, all you have to do is simply stop playing. You writing to their support and asking for an account closure might inadvertently interpreted as asking for self-exclusion, given that's the requirement for a self-exclusion



With that said, and daring to move closer to the next subject as it happen to be brushed on your reply [marked in bold], how likely do you think it is that it all happens by accident? i.e. Razer was arranging for your bonus [as I am sure you understand well, the bonus can not be instantly credited the second a decision is made, they need to arrange it with other department and it take time] and you happened to email their team asking for an account closure at a relatively close time. He reached to you to inform you about the bonus with complete unawareness that you requested a self-exclusion that's been granted one day prior.

Here's how it went down....

• I asked for my account to be closed, not self-excluded.
• Afterwards, the support agent provided a copy & paste message that said I would be self-excluded for 21 days and if I make a new account or sign into another account, they would permanently ban me.
• I ended the chat by saying "tired of being harassed by the staff members for trying to help. ok bye".
• Then, I was banned for self-exclusion immediately after.
• The next day, Razer deposited funds to my closed account and sent me an email that he did that.
• I asked for my account to be re-opened, only to be pawned off to 3 other agents who said it was impossible to do so.

It's likely that Razer pawned the ticket off to 3 other staff members because him and I both know it's possible for him to unban me. I don't have any proof of them unbanning an account from self-exclusion, I just know that from experience with owning websites that have a user database, it's definitely possible for them to reinstate my account.

Also, I never closed my account on the grounds of having a problem with gambling. I closed because I was being treated unfairly, which seems to be pretty evident from this whole entire thing

I am snipping the second half of the post in order to stay focused in one [easiest] issue and clearing them before moving on. One question: you do request for a self-exclusion?

And regarding the possibility to unban, as stated [and better explained by Kirito89 it should not be possible. They theoretically can, but they should not do that, as it will be ethically wrong, not to mention violating some regulations. If you still insist that they can, in a sense that there are prior instances of them unfreezing an account before its exclusion period runs out, you are more than welcome to provide it.

I'm not trying to argue against you or anything. I really appreciate your concern and attention to this as well as everybody else's.

Hopefully this can clear it up a bit... It may be against regulation and policy to revert a self-exclusion based on the idea that I had a gambling addiction, but I never self-excluded for the reason of addiction. I was never even asked why I wanted to self-exclude like how they normally do. They need you to admit that you're a gambling addict, which I never did nor did I hint towards that. I self-excluded for the reason of being treated unfairly by the Rollbit team, which I did mention to the person who did it.

When you say it's not possible, you're making it sound like it's literally impossible for them to do, which is not true.

Example User Data Table:
All they would have to do is change the `SelfExclusionBan` parameter from `1` (which means yes) to `0` (which means no)


Casinos hate when players have any sort of leverage over them which is why they will instantly get rid of someone who does. When players win a lot of money at any casino, they are no longer welcome there. I may not have won against the casino monetarily, but I easily could have if I didn't report any of my findings to them. Even though I had just lost like 500 Solana to them in a single month, they refused to pay me out in the first incident. The incompetency of their employees was probably costing them hundreds of thousands of dollars. If you look at the email correspondence, Razer said: " we pay generously for bugs" (multiple times btw) and encouraged me to find more.

So, I go to find more, being the good boy I am. When I present my new findings to Razer, I am instantly denied the bug bounty and told that it doesn't meet the scope. Why? Because they thought that they could fix it and that I had 0 leverage over them. As soon as they consulted with their third party agency and realized that I have leverage over them, they want to act all nice by saying that I will be rewarded. So, they "take a safe gamble" and put a balance on an account that I can't access for 19 days. This gives them time to either fix the problem or for me to give them the only "leverage" I have.

I lose both ways, which is why I am here telling you that they will ban me as soon as I get access to that account or they won't let me withdraw.

This is me just "yapping", but:
I know how these people are and they view me as a threat. They will find a reason to ban me, which is fucked up. They've already muted me for over a year for saying "nigga" (used as a friendly greeting, in a non-derogatory manner), they have banned me from their Discord server when all I did was give suggestions on how to improve Rollbit and help players in their Clipper Discord.

Remember that casinos are gamblers too and are just as hungry for any type of advantage as a player is. They hate the players just as much as the players hate them. Most players just have Stockholm Syndrome and "dick-suck" casinos thinking that they will get lucky one day. Casinos enable the Stockholm Syndrome by creating communities, doing giveaways, participating in nepotism, etc. I'd probably be the best employee at Rollbit because I see their weak points and I know how to improve the site. But, since I am not on the payroll nor do I "dick-suck" and be a fake person, I am an enemy in their eyes. Due to their ego, they will probably spend more to fix their problem than for me to fairly be compensated.

None of this would have even transpired if they matured and realized the old saying: "The enemy of my enemy is my friend". Myself being neutral and an "enemy" to the players by making sure they don't have an unfair advantage. Their loss, I guess.

Thank you. As always, your "insider" insight from casino perspective is very much welcome and appreciated. OP, as you can read above, casinos take that ban you impose on yourself very seriously. It is a common and known practice by casinos, not only Rollbit, to refuse to lift a self-exception. They are simply sticking to the rules instead of toying with you when they ask you to wait for the period to runs out.

While I don't represent Rollbit, would just like to say that a self-exclusion is not, and should never be reversed (theoretically it can), for the simple fact that self-exclusions are in place due to Gamble Aware regulations, and any self-respecting casino, at least any licensed casino will never undo a self-exclusion or a self-ban.

You're saying that you know for sure that it can be reverted? Self-exclusion? Do you mind to provide a supporting evidence for it? Because if it can and they do [and that you can prove it], it's a very wrong procedure and against the gambler protect policy and it is a very serious situation.

As for your example of rogue moderator, that's not self-exclusion, that's a mod-ban, a temporary ban. And yes, that can be reversed because that is an act of a moderator, it's an action taken as a result of a violation [suppose the ban is justified] by a player against a policy or --as you said-- a rogue moderator unjustifiedly acted on his own. But for the case of exclusion, be it a self-exclusion or because the staff detects signs of gambling addiction, that should not be able to be tampered and reversed before the period runs out because it is a procedure to create a safe and responsible gambling.

Those two situations, the ban by mods and exclusion, are two completely different situations. And no, it is relevant because it is one of the point of your accusation, that they can or can not [or rather, will or will not] tamper with exclusion.

I'm not sure where you get your sources from, but that is completely false about them not being able to revert the self-exclusion ban. Are you saying that there is a user datatable that CANNOT be tampered with manually whatsoever? Well, if you were implying that you would be wrong. Databases can most definitely be tampered with, it's just how it works.

What if a rogue moderator self-excluded the top players at Rollbit? You think they wouldn't find a way to undo it? It's not impossible to do and likely wouldn't affect Rollbit in anyway.

Anyways, the self-exclusion is irrelevant at this point. I'm not here to argue about just that. There's plenty more points I made and proof to back up my accusations.

It was brought up because you said what quoted below. It seems there is a misunderstanding about how their self-exclusion works, something quite easy that needs to be straightened in this pile of accusations you raised, and that's why I tackled that point prior to addressing other matters.

They do not have the ability to "unban" you during the self-exclusion period. There is a 21-days [or whatever days they assign to it] cool-down period, and after that, you'll be offered an option to extend the self-exclusion for certain period or to permanently disable your account. You'll automatically regain access to your account after that period is over. Likewise, if you choose to extend it, you'll be once again locked away from the account for the duration you choose.

To put it simply, no one will be able to re-enable your account before a self-exclusion period is over. Not them, not even you.

Is this part clear yet?

What are you talking about? I'm a "snitch" for reporting an exploit? Okay buddy. You think that people who abuse exploits like this are Robin Hood? No, the people who do abuse things like this are just as greedy as the casino.

I don't think you're understanding what I'm trying to say. I'm not sure why people keep bringing up the self-exclusion part. That's not even entirely why I'm accusing Rollbit of scamming.

In the first incident, Razer admits to not paying out the bug bounty because:
1. "The damage was already done"
- This is the founder of Rollbit admitting that the exploit that I found and reported exists

2. "We found it in their own investigation"
- This is clearly a lie and it's just some bullshit he added in because his first excuse is awful

Ask yourself the following questions:
- If this were true, why wouldn't they have taken action sooner?
- If this were true, why did they lie to Stake about it when confronted?
- If this were true, why wouldn't they make it public?
- If this were true, why would they remove the entire gaming provider?
- If this were true, why do they silence me for speaking about it?


In the second incident, I went to try and report the exploit to Stake. I mentioned my interaction with Rollbit to further convince the Stake employees to look into it because nobody's going to believe a random person who claims they are able to increase their RTP. Stake employees are incompetent and didn't even attempt to replicate the exploit. Instead, they went to Rollbit (THEIR COMPETITOR BTW) and asked about it. Rollbit LIED to Stake about the exploit which is why Stake never looked into it either.

All of these sites will continue to be hacked and exploited because of incompetent employees who are too lazy to do their fucking job.

In the third incident, Rollbit employees are so shitty at their job that they need to they have to hire a third-party PR agency to help them out. The person who oversees that
couldn't even catch an error in the final draft of the FaZe x Rollbit Sponsorship that could cost Rollbit their reputation if I didn't find it first.

Rollbit's response to me trying to help them out? They do anything they can to fuck me over and make sure that I lose money.


Razer, when you see this: hire competent people so you won't have to deal with motherfuckers like me.

I gave your story a quick look. I'd like to address the self-exclusion situation first. I believe you didn't apply for a permanent exclusion but more to the "cool down period"? Thus, your account will be locked for 21 days or so, and after that, you'll get an option to continue the self-exclusion by permanently closing the account or to resume playing.

As with a case of self-exclusion, they have to stick with the cool-down period, they can't intervene the system by expediting the countdown or unlock it at will.

  so you are a snitcher  if you just left that players benefits from that  shady casino
that casino with his fake influencers and the rollbots  nfts sheme/ and rlb token  pump and dump shemes  scammed a lot of players

you deserves nothing anyway

They refused to unlock my account when I know damn well they can. I only self-excluded from that site due to staff treating me unfairly. The person in charge of the self-exclusion didn't even ask questions and immediately banned me. As I mentioned, they could see that my account was self-excluded before giving a loyalty bonus. Why would they first deny me and say that I can't get paid? Then, after consulting their PR agency, they pretend to be all nice and deposit an unknown amount of funds into an account that I can't access?

I have good reason to believe that they want me to give them something I have. Then, afterwards ban me for it or force me to KYC then deny it. These people do not like me at all.

I'm aware with how their system works, I think you might just be misunderstanding what I'm posting. I am calling them out for being unfair to me in multiple different incidents.

I've already asked them to remove the self-exclusion and they won't, you would have learned this by looking at the screenshots I provided.

I knew discord chat server (community representative), chatbox and support pages/emails have different persons in-charge, you should email them on their support email directly instead, if there's no bug bounty information/contact on their site.

With the same suggestion above with the reward given to you (loyalty bonus) you should request to remove the self-exclusion (unlock your account) and see for yourself on how things will goes after that.

Running a bug bounty for them is not compulsory; they can't force you to do anything you are not willing to do. I will advise that if you want to see if they have truly gifted you the loyalty bonus, you should try contacting them to get your account unlocked, and if they refuse, then you can know where to start pointing your next finger.
 
A locked account can be credited but can't be withdrawn, so try contacting them first. If they get your account unlocked, you can either fully meet the bonus requirement if there is any or get the reward withdrawn and let them be. If you are having a good gambling experience with them, you might either continue using it or leave that part for them. No one wants to waste effort on something they will not be rewarded for.

This has now been resolved.

Thank you Razer and team for handling this situation, I appreciate it.