Announcing the Vulnerability Bug Bounty Program

I have reported bugs like “Missing Loot” through the Support function.

Should I now do this through the new third party app ?

You absolutely should keep using the Support function.

You should use the Vulnerability Bug Bounty program only if both of these apply:

  1. You are reporting a serious vulnerability in the server-side validation logic or our infrastructure
  2. You can provide the exact steps to reproduce the vulnerability

For anything else, please contact Support just as before.

4 Likes

How do you identify one that is “clearly cheating”? I’ve been playing for hours a day every day for the last two years and never bumped into one that is “clearly cheating”.

This! You cought me! Damn! I have to admit I’m exploiting the game, I’ve been playing for free for two years! Take me to jail!

4 Likes

the thing is that Boril in costume ones goes off gives contra attack . to all if his allies bu the return hit is weekends by alot. so this is not a bug

What is the difference between Bug and Vulnerability?

1 Like

Unsure if this is a bug, but today I paid for GEMS in the STORE, everything went as it should until the screen comes up to claim the gems. It never did. So I paid for gems i have not got.

Timing part 1

Well that didn’t take long.

SeasonGate
BetaGate
LevelGate

Congratulations SGG, you have now experienced, and patched, all 3 of your worst fears.

Hopefully the rest of 2020 goes better.

Click for rant about transparency

Timing part 2

I hate to be the bearer of bad news, but a lot of cheater witch hunts and SGG entrapment/ complicit conspiracy theories are popping up on the internet.

I do not think it will help, but you might internally discuss how to communicate with the player base in a situation like this.

Similar to a data breach at a retailer.

Personally, I would ask the legal department about an in game email.

If not, “leak” the info to the forum moderators so at least forum members will be better able to counter act the increasing number of cheater witch hunts and SGG entrapment/ complicit conspiracy theories spreading.

Notes

Raise of Conspiracy theories

(The Science of Conspiracy Theories and Political Polarization with Eric Oliver (Ep. 25))

SeasonGate

([Tips, Help] But I didn't do ANYTHING but my account is trashed/ banned ! or Common mistakes, cons, and other nefarious methods to get your money, trash your account, or get you banned AND How to prevent this from happening [Updated 2020-Nov-06] - #2 by Gryphonknight)

BetaGate

(Stones' colour distribution is NOT random - MASTER Board Conspiracy - #1212 by Gryphonknight)

LevelGate

FIN

3 Likes

With the recent bug I am wondering what else could be “replayed”. And I don’t mean by some bug in the app itself but by sending similar data directly to servers.

I had a feeling by this topic that SGG is quite sure about their app <-> server communication and the validations, but then this happens, weird.

I was tempted to try something few times already, but I don’t have a lot of experience with programming mobile apps or with Android so it could be quite hard for me to do the proper test.

We do our very best to avoid vulnerabilities, but no system is flawless. The recent Morlovia case is the perfect example of why I started this program.

We actually got a number of reports about the issue through the Vulnerability Bug Bounty Program and our support channels but unfortunately, by the time those reports reached us, it was already too late to prevent widespread abuse and the resulting disciplinary actions.

Even though we heard about the issue too late this time, we are still paying $1000 both to the person who first reported the issue through the Program as well as to the person who first reported it to the player support.

It’s worth pointing out that there were about 20 people who abused the issue already during the summer event. If one of them had reported the vulnerability to us before Morlovia, we would have paid the reporter a bounty of $5000.

I really want to emphasise this. Anyone of those players could have reported the issue and they’d now have an extra five thousand dollars to spend as they please. Instead, their account is suspended forever.

If you happen to uncover a similar issue in the future, please take the time to think about your choice: free cash or a locked account. It is my sincere hope that you’ll make the right choice!

29 Likes

Hello
following your post concerning the Morlovia Bug, could you tell us a little about the accounts which are still suspended to this day? Fixed term or are accounts permanently lost?
I think it would be nice to communicate a bit more about this :slight_smile:
Thank you in advance for your reply

i have 1 question , do “suspended forever” applied to 20 from summer only or everyone who abuse Morlovia ?

1 Like

@arios @carriermaude Only support can respond to questions related to individual accounts. Please read this topic for instructions:

3 Likes

We don not ask about individual account but what happened for 99.99 % of players suspended.

Ok for the 20 that abused in sand event and the others ???

What is the penalty for others
From 1 to 10 use: warning message - no suspension
From 10 to 20 uses: ???
From 20 to 30 uses:

we just want to know if we are going to do something else or if we wait and for how long ??? We just ask that you communicate because it’s been 3 days !!

1 Like

i knew but statement above from Staff said suspended forever , thats why i asked.

This topic has been temporarily closed due to off-topic discussion. As noted earlier, only support can respond to questions related to individual accounts.

I’ve re-opened the topic for now. Please make sure your post is directly related to the vulnerability bug bounty program. For example, discussing disciplinary actions is off-topic.

6 Likes

@Barrista. Sounds like bad boards to me. I have been beaten by a weaker team. Tiles are 70% of damage dealt. You get a bad board you get defeated or on a titan a low score.

3 Likes

@mhalttu I recently submitted a bug which you accepted yourself. Could you explain what the various levels P1-P5 requirements are and their monetary values. Feel free to PM me if you don’t want to discuss on the forum.

Thank you for the report! I’ll answer here on a high level, and will contact you separately through BugCrowd.

  • Due to the way BugCrowd works, there are two programs: Paid Bounty and Public Vulnerability Disclosure Program (PVD). The former is invite-only and provides real-money bounties. The latter is open for public.
  • If you report a valid vulnerability through PVD, you can request a bounty. In that case, I can invite you to the Paid Bounty program. You can then re-submit your finding and I can pay out the bounty there. It’s a bit inconvenient process, but it seems like this is the best BugCrowd can offer.
  • The priority levels are as follows. I’ll write the paid bounty range in parenthesis.
    • P1: Critical ($2,800 - $4,500)
    • P2: Severe ($1,000 - $1,400)
    • P3: Moderate ($350 - $500)
    • P4: Low ($150 - $175)
    • P5: Informational (no bounty)
  • We are also able to give a reward up to $10,000 for an exceptional submission
  • All of these numbers are coming from BugCrowd, and may change in the future.
7 Likes

Thank you @mhalttu I’ve sent you a reply via BugCrowd