Announcing the Vulnerability Bug Bounty Program (Aug 2020)

It is very important to us that our games are fair for everybody, and we do not tolerate any form of cheating. Empires & Puzzles has been implemented in a way that makes cheating next to impossible. However, no solution is fool-proof, and there is always a chance of human error.

In the past, there have been a couple of cases where some players have found a way to bypass our server-side verification logic to gain an unfair advantage in the game. We have reacted to those cases by removing the advantage and/or suspending the account.

Of course, it would be even better to hear about bugs and vulnerabilities like that before they are abused. If you discover a vulnerability, it should be more tempting to report it to us than to abuse it for short term gains and risk getting your account suspended.

We are happy to announce that we are partnering with BugCrowd to make it easier - and more lucrative - to report vulnerabilities in the game. BugCrowd offers two kinds of programs. Their free program allows you to report bugs and vulnerabilities for fame, and simply because it’s the right thing to do. You can find the form of our Responsible Disclosure Program at https://www.smallgiantgames.com/white-hats .

BugCrowd also offers a private Paid Bounty program for security researchers. The rewards in that program range from a couple of hundred dollars to $4,500 or even up to $10,000 in exceptional situations.

Unfortunately, you cannot report vulnerabilities through the Paid Bounty program unless you are a registered security researcher with BugCrowd. However, we are interested in reports from the whole community and will pay a fair reward for any real vulnerabilities we end up fixing. If you report a real vulnerability through the Responsible Disclosure Program, we will make sure you are approved as a researcher by BugCrowd and will be compensated for your report.

Please note that we are most interested in vulnerabilities affecting our server-side validation. Just as an example:

  • Completing the same quest multiple times for repeated rewards
  • Abusing a bug to adjust the odds of a battle or summon in your favour
  • Training or crafting without consuming the necessary ingredients

Please note that we do reserve the right to reject reports that are not related to vulnerabilities in our server-side validation. Here are some things that we do care about, but cannot accept through the program as bugs or vulnerabilities:

  • Client-side cheating e.g. by modifying the clock speed of your device (unless it allows you to uncover holes in the logic that the server is not catching yet)
  • Using features that are working as designed to gain an advantage in the game (unless the design of the feature is unintended and we actually fix it based on your report)

If you do believe you have spotted a real bug or a vulnerability in the game, please report it through https://www.smallgiantgames.com/white-hats and if it is approved and fixed, we will make sure you get a fair compensation for your report.

For discussion, please visit this topic: Announcing the Vulnerability Bug Bounty Program

49 Likes

Cookie Settings