Crypto Gambling Sites and Bug/Exploit Reporting and Rewards.

[edmundduke]

Ill start this off by saying that i do basic security testing as a hobby for exchanges and for casinos. And dealing with most crypto related casinos/exchanges frustrates me so much that it makes me want to quit regularily (and i do, i just come back after a while).

There are several casinos that fall into the categories below that are currently on Bitcointalk. Some even have active exploits that have not been fixed simply because the casino operator can not be asked to reply to the email they provided for such reports.

IF you operate an exchange/casino or any other service, especially if you deal with crypto/money or anything that has value. Please have a clear and easily accessable documentation/policy about bugs and exploits.

Currently what i see is:

1) Many exchanges and casinos just ignore the bug/exploit reports. They then fix them and pretend they did not even exist. OR they will tell you that they "knew" about it already. (but somehow still kept the casino running till the exact point where they were made aware of the exploit and then promptly taken offline). - IF THIS IS YOUR POLICY. Please state this clearly in your documentation.

2) Often Casinos and Exchanges treat critical issues as if they were minor or non-existent. A bug that can clearly drain ALL of your wallets gets a bounty of 50-100$. This just shows the lack of care for the safety of your users funds. Often these sites also delay the fixing of issues as usually the Dev who works on the site is either new or has been outsourced and only works on the site once a week or so.

3) Very rarely do i see sites that show actual appreciation for somneone finding the exploit and reporting it. Maybe 1 in 5 if lucky. Probably closer to 1 in 7.

Please. IF You operate a site that deals with user funds/gambling or know someone who does. Have them set up a documentation.

1) Let the user know how to report the bug/exploit or any issue found. - Make it easy to find, dont burry it deep into TOS
2) Give estimations or at least a rough idea what a bug might be worth to you. - Even if you dont reward users for it, that is fine aswell. Just state it clearly.
3) Respond to these types of issues in a timely manner. -  so often i wait for days on a critical report.

This type of transparency will benefit everyone. Users will be more safe with extra testing. People who find exploits are less likely to exploit if they know they can be compensated for the find. The industry overall will benefit from this.

[1714852774]

1714852774

[ryzaadit]

Depends on the bugs, I don't think if the bug is critical they're going just to ignore it.

Most casinos will ignore a really minor bug. Unless your bug is a loophole in the customer data, accessing their fund, etc. If you think the bug is really affecting the service and they responding to what you have explained.

Another good things to do next, just exploited the bug and then contact them again. What you got, sometimes action is necesarry as long you already report it and they ignore you.

[jrrsparkles]

Most sites related to money run bug bounty programs at the initial stages and also in case if there is still any bug that can be exploited surely the casino will reward the one who found and reported it.

I am not sure on what basis you are saying one who reported bugs got $100 as a reward when the casino is ready to spend $5000 a week for promotion alone! Better give some examples to support what you are claiming and of course, it is not really tough for someone who is smart enough to run and find bugs will have a hard time contacting the dev/owner of the site.

[edmundduke]

Most sites related to money run bug bounty programs at the initial stages and also in case if there is still any bug that can be exploited surely the casino will reward the one who found and reported it.

Yes, that is the thing. Most of us would "ASSUME" that is the case, but for some reason more often than not that does not happen.

[Casdinyard]

I see how noble and awesome this may be. But since this means less profit to the gambling site, I don't think they would be so keen as to implement such a feature even if it means that this will drive more users into their casino. For one, it doesn't make sense for them to invest money on coders and bug-catchers when solving simple bugs within the site is as easy as refreshing the website, and automatically refunding the money/wager that the customer has made. Sure this is a huge bummer on the customer's end but at the very least this absolves them from the responsibility of solving these bugs. Another would be the fact that most of these casinos aren't accepting of other people touching their code base. It's so easy to fetch source codes nowadays that you can basically create a derivative of a centralized casino on your own. They knew this much and are afraid of the legal repercussions that they might get tied with if such a situation comes around. So, they just wing their bugs.

[dothebeats]

If the bugs aren't that serious or game-breaking, I doubt they'll ever put so much attention to it. There are other things that they need to put their attention to, and minor bugs aren't one of them. My take: leave minor bugs as is and exploit game-breaking ones before submitting it for review. At least, you already profited from it and you have demonstrated that the bug is too critical to be ignored.

[coin-investor]

Most sites related to money run bug bounty programs at the initial stages and also in case if there is still any bug that can be exploited surely the casino will reward the one who found and reported it.

Yes, that is the thing. Most of us would "ASSUME" that is the case, but for some reason more often than not that does not happen.

Then that is a big concern They should have ongoing bug bounty rewards and this should have a specific page dedicated to it this is to assure that the casino is dedicated to maintaining the security of their platform, I seldom see this in many casinos I'm playing they rely more on their terms and security of their platform from cheaters.

but could be that casinos have their own security team that tests the platform for vulnerability from time to time which is why they do not have a page for this, Casinos know their business and they know hacking and bug exploitation happens, it is for their welfare to address either openly by offering bug bounty rewards or hire security experts.

[Saisher]

This type of transparency will benefit everyone. Users will be more safe with extra testing. People who find exploits are less likely to exploit if they know they can be compensated for the find. The industry overall will benefit from this.

There's also a possibility that they have their own security team which is why they do not offer it or they have assurance from the seller of the script where they purchase the license of their script that guarantees the script from bugs and the seller updates or patch the script from time to time.
Casinos especially the small ones can easily lose the reputation that they are slowly building if there are loopholes in their script, They don't want their users to have second thoughts on their platform which is why they do not offer this they are confident that their script is bug-free based on the assurance coming from sellers of the script or their own teams.

[Westinhome]

If the bugs aren't that serious or game-breaking, I doubt they'll ever put so much attention to it. There are other things that they need to put their attention to, and minor bugs aren't one of them. My take: leave minor bugs as is and exploit game-breaking ones before submitting it for review. At least, you already profited from it and you have demonstrated that the bug is too critical to be ignored.

The bug to the game is common one to the game,So Until the bug will be serious we no need to worry about the gambling site bugs.The minor bugs can’t be consider as the serious one,So we no need to worry on that.If you feel the bug is dangerous,you can report the same bug to the site owner.All the site as the features of rewarding the people who report the bugs and help the developing team.The also reward the bug reporting people based on the bug size.If the major bugs was reported the website will improve their performance based on our involvement.

[dothebeats]

If the bugs aren't that serious or game-breaking, I doubt they'll ever put so much attention to it. There are other things that they need to put their attention to, and minor bugs aren't one of them. My take: leave minor bugs as is and exploit game-breaking ones before submitting it for review. At least, you already profited from it and you have demonstrated that the bug is too critical to be ignored.

The bug to the game is common one to the game,So Until the bug will be serious we no need to worry about the gambling site bugs.The minor bugs can’t be consider as the serious one,So we no need to worry on that.If you feel the bug is dangerous,you can report the same bug to the site owner.All the site as the features of rewarding the people who report the bugs and help the developing team.The also reward the bug reporting people based on the bug size.If the major bugs was reported the website will improve their performance based on our involvement.

Though there could be minor bugs out there that could potentially lead to a critical one if left unchecked, or if it could be exploited even further to huge bigger problems. There are some bugs that act as if they are benign initially, but becomes devastating once discovered that it's connected to other parts of the game or platform. Pretty sure that the casino will have their eyes and ears on those minor bugs, though not as intently as what they give to the bigger ones.

[Jemzx00]

Depends on the bugs, I don't think if the bug is critical they're going just to ignore it.

Most casinos will ignore a really minor bug. Unless your bug is a loophole in the customer data, accessing their fund, etc. If you think the bug is really affecting the service and they responding to what you have explained.

Another good things to do next, just exploited the bug and then contact them again. What you got, sometimes action is necessary as long you already report it and they ignore you.

Majority of bugs that are reported are usually are taken into account by most casinos whether it be a minor or a major bug however it varies depending on how these bug affects it's user and the casino on whether they proceed with an action.

I've seen minor bugs on different gambling platforms here that has been there ever since and a known bug but since it doesn't affect much the casino, no action has taken into account.

Still, there's just some gambling sites out that doesn't really care much until they get affected or multiple reports has been raised and publicized.

[alegotardo]

Ill start this off by saying that i do basic security testing as a hobby for exchanges and for casinos. And dealing with most crypto related casinos/exchanges frustrates me so much that it makes me want to quit regularily (and i do, i just come back after a while).

There are several casinos that fall into the categories below that are currently on Bitcointalk. Some even have active exploits that have not been fixed simply because the casino operator can not be asked to reply to the email they provided for such reports.

This is not just a problem with gambling sites, but there should definitely be proactiveness on the part of administrators in recognizing problems and resolving them more effectively, especially when we are dealing with other people's money.

Unfortunately, not only casinos, but many websites underestimate the service of honest people who encounter and report these problems.
In addition to resolving problems when reported, they should recognize the importance of whoever found the problem and reward them fairly, always looking at how much they could have asked for if the flaw had been exploited by someone with bad intentions.

[edmundduke]

Ill start this off by saying that i do basic security testing as a hobby for exchanges and for casinos. And dealing with most crypto related casinos/exchanges frustrates me so much that it makes me want to quit regularily (and i do, i just come back after a while).

There are several casinos that fall into the categories below that are currently on Bitcointalk. Some even have active exploits that have not been fixed simply because the casino operator can not be asked to reply to the email they provided for such reports.

This is not just a problem with gambling sites, but there should definitely be proactiveness on the part of administrators in recognizing problems and resolving them more effectively, especially when we are dealing with other people's money.

Unfortunately, not only casinos, but many websites underestimate the service of honest people who encounter and report these problems.
In addition to resolving problems when reported, they should recognize the importance of whoever found the problem and reward them fairly, always looking at how much they could have asked for if the flaw had been exploited by someone with bad intentions.

This is exactly it. This is something that happens on many sites that deal with user funds, or with user data. How many times have we seen companies "loose" users data and act as if it is nothing. It just feels its especially prevelant in crypto circles.

[retreat]

Usually online casino platforms have teams that work on application development or they outsource it to other companies. The development of applications certainly requires a process and cannot be just developed and run at any time. There are stages where application development takes longer and if there is a bug that is not too disruptive to the service, usually the platform will note it and include it in the next stage of development. As long as the bug is not fatal and a danger to the service, usually it will be left until everything has been developed by the team.
However, it is true that the platform's appreciation for bug bounties is sometimes not commensurate with the bugs found and that is why many bug hunters prefer to exploit these bugs and sell them to hackers.

[davis196]

There are several casinos that fall into the categories below that are currently on Bitcointalk. Some even have active exploits that have not been fixed simply because the casino operator can not be asked to reply to the email they provided for such reports.

Would you mind sharing with us the names of those "several casinos"? Perhaps a little bit of negative marketing would force the owners of those casinos to do something about it and solve the bugs/exploits.
I don't mind having a publicly available list of crypto casinos, that currently have bugs. Such list will definitely force the casino owners to improve their websites. Waiting to get paid for finding bugs won't work. Most casino owners are stingy and most crypto casinos don't want to put some money aside for such purposes.
Many crypto casinos are using the same templates and gambling scripts. I am no expert in this field, but what is the chance all those casinos to have similar bugs?

[Fivestar4everMVP]

My kind of person would go ahead and exploit the bug when I find it, and then report to the casino or exchange and be ready to return whatever funds I collected through the exploit, but this is after we much have negotiated and come to agreement on how much they will pay me as a bounty for my find.

Though I will only do this after like two or three experiences where I find a critical bug in a casino or exchange, and after reporting it and expecting them to reward me, they refuse claiming they already had known about it , or with the claim that the bug is not critical enough, it is commonly said in my place that "when a bird learns to fly without perching, the hunter will learn to shoot without missing".

So like I've said, If Ive had experience like above with two or three gambling casinos or exchanges, I will start exploiting any bug I find in a casino or exchange, then report to them after I have their funds in my custody, maybe this way, they will learn to appreciate honest bug bounty hunters.

[edmundduke]

My kind of person would go ahead and exploit the bug when I find it, and then report to the casino or exchange and be ready to return whatever funds I collected through the exploit, but this is after we much have negotiated and come to agreement on how much they will pay me as a bounty for my find.

Though I will only do this after like two or three experiences where I find a critical bug in a casino or exchange, and after reporting it and expecting them to reward me, they refuse claiming they already had known about it , or with the claim that the bug is not critical enough, it is commonly said in my place that "when a bird learns to fly without perching, the hunter will learn to shoot without missing".

So like I've said, If Ive had experience like above with two or three gambling casinos or exchanges, I will start exploiting any bug I find in a casino or exchange, then report to them after I have their funds in my custody, maybe this way, they will learn to appreciate honest bug bounty hunters.

While this is an options (and sometimes also necessary to a degree) i usually try to avoid solutions like that. The reason being that You also want to keep a level of professionalism so you dont scare away your potential customers. And it can also land you in some hot water legally speaking.

[Westinhome]

My kind of person would go ahead and exploit the bug when I find it, and then report to the casino or exchange and be ready to return whatever funds I collected through the exploit, but this is after we much have negotiated and come to agreement on how much they will pay me as a bounty for my find.

Though I will only do this after like two or three experiences where I find a critical bug in a casino or exchange, and after reporting it and expecting them to reward me, they refuse claiming they already had known about it , or with the claim that the bug is not critical enough, it is commonly said in my place that "when a bird learns to fly without perching, the hunter will learn to shoot without missing".

So like I've said, If Ive had experience like above with two or three gambling casinos or exchanges, I will start exploiting any bug I find in a casino or exchange, then report to them after I have their funds in my custody, maybe this way, they will learn to appreciate honest bug bounty hunters.

The gambling sites was ready to spend huge money for the person who involved in the gambling now.The reason is by giving the gamblers loss by finding the error,the gamblers who doing the error finding in the website and reporting by seeing the welfare of the gamblers.Every new game will have some bug at the initial launch,some ethical hacker use this bug finding and win in the environment.If you play of three games in three different website and you had found three bugs in all three website.Then create a mail to the developer or owner of the project.You need to attach the bug details in screenshot to the gambling sites which had bugs.

[robelneo]

This type of transparency will benefit everyone. Users will be more safe with extra testing. People who find exploits are less likely to exploit if they know they can be compensated for the find. The industry overall will benefit from this.

Casinos and exchanges should have a bug bounty, one of the main reasons is they already have a dedicated team for this and the administrator is paying these people to fix bugs and patch and if they post that they have a bug bounty they will be targeted by hackers for exploits because hackers will think that they do not have an internal security to fix exploits.

Casinos and exchange especially the big one will only test for security flaws and bugs prior to their launching and from there they are going to monitor the script or theme for possible exploits so if there is a bug it will be fixed soon by their team or the casino will suffer from too many glitches because of failure to fix the bugs.

[Wexnident]

~

That's just how businesses go. I've been in a small company once that used to hire 3rd party developers to create their programs. They used to pay upwards of thousands of dollars into them, and not just a one-time payment but as well as a monthly maintenance fee. When I first entered and looked at the quality of the system they made, I was honestly thinking why the hell are they still hiring these people, the system looks so outdated not to mention the tens to hundreds of bugs and reports that people who use the system keep reporting to use.

They also tend to downplay a lot of bugs since, well, a lot of people don't even manage to understand how it works so I think they think they can get away with it without any big rewards at all. At that instance where it's reported they can immediately tend to it after all so it isn't exploited, so they just downplay the services of this bug bounty services they offer.