Announcing the Vulnerability Bug Bounty Program

the thing is that Boril in costume ones goes off gives contra attack . to all if his allies bu the return hit is weekends by alot. so this is not a bug

What is the difference between Bug and Vulnerability?

1 Like

Unsure if this is a bug, but today I paid for GEMS in the STORE, everything went as it should until the screen comes up to claim the gems. It never did. So I paid for gems i have not got.

Timing part 1

Well that didn’t take long.


Congratulations SGG, you have now experienced, and patched, all 3 of your worst fears.

Hopefully the rest of 2020 goes better.

Click for rant about transparency

Timing part 2

I hate to be the bearer of bad news, but a lot of cheater witch hunts and SGG entrapment/ complicit conspiracy theories are popping up on the internet.

I do not think it will help, but you might internally discuss how to communicate with the player base in a situation like this.

Similar to a data breach at a retailer.

Personally, I would ask the legal department about an in game email.

If not, “leak” the info to the forum moderators so at least forum members will be better able to counter act the increasing number of cheater witch hunts and SGG entrapment/ complicit conspiracy theories spreading.


Raise of Conspiracy theories



([Tips, Help] But I didn't do ANYTHING but my account is trashed/ banned ! or Common mistakes, cons, and other nefarious methods to get your money, trash your account, or get you banned AND How to prevent this from happening)


(Stones' colour distribution is NOT random)




With the recent bug I am wondering what else could be “replayed”. And I don’t mean by some bug in the app itself but by sending similar data directly to servers.

I had a feeling by this topic that SGG is quite sure about their app <-> server communication and the validations, but then this happens, weird.

I was tempted to try something few times already, but I don’t have a lot of experience with programming mobile apps or with Android so it could be quite hard for me to do the proper test.

We do our very best to avoid vulnerabilities, but no system is flawless. The recent Morlovia case is the perfect example of why I started this program.

We actually got a number of reports about the issue through BugCrowd and our support channels but unfortunately, by the time those reports reached us, it was already too late to prevent widespread abuse and the resulting disciplinary actions.

Even though we heard about the issue too late this time, we are still paying $1000 both to the person who first reported the issue in BugCrowd as well as to the person who first reported it to the player support.

It’s worth pointing out that there were about 20 people who abused the issue already during the summer event. If one of them had reported the vulnerability to us before Morlovia, we would have paid the reporter a bounty of $5000.

I really want to emphasise this. Anyone of those players could have reported the issue and they’d now have an extra five thousand dollars to spend as they please. Instead, their account is suspended forever.

If you happen to uncover a similar issue in the future, please take the time to think about your choice: free cash or a locked account. It is my sincere hope that you’ll make the right choice!


following your post concerning the Morlovia Bug, could you tell us a little about the accounts which are still suspended to this day? Fixed term or are accounts permanently lost?
I think it would be nice to communicate a bit more about this :slight_smile:
Thank you in advance for your reply

i have 1 question , do “suspended forever” applied to 20 from summer only or everyone who abuse Morlovia ?

1 Like

@arios @carriermaude Only support can respond to questions related to individual accounts. Please read this topic for instructions:


We don not ask about individual account but what happened for 99.99 % of players suspended.

Ok for the 20 that abused in sand event and the others ???

What is the penalty for others
From 1 to 10 use: warning message - no suspension
From 10 to 20 uses: ???
From 20 to 30 uses:

we just want to know if we are going to do something else or if we wait and for how long ??? We just ask that you communicate because it’s been 3 days !!

1 Like

i knew but statement above from Staff said suspended forever , thats why i asked.

This topic has been temporarily closed due to off-topic discussion. As noted earlier, only support can respond to questions related to individual accounts.

I’ve re-opened the topic for now. Please make sure your post is directly related to the vulnerability bug bounty program. For example, discussing disciplinary actions is off-topic.


@Barrista. Sounds like bad boards to me. I have been beaten by a weaker team. Tiles are 70% of damage dealt. You get a bad board you get defeated or on a titan a low score.

1 Like

@mhalttu I recently submitted a bug which you accepted yourself. Could you explain what the various levels P1-P5 requirements are and their monetary values. Feel free to PM me if you don’t want to discuss on the forum.

Thank you for the report! I’ll answer here on a high level, and will contact you separately through BugCrowd.

  • Due to the way BugCrowd works, there are two programs: Paid Bounty and Public Vulnerability Disclosure Program (PVD). The former is invite-only and provides real-money bounties. The latter is open for public.
  • If you report a valid vulnerability through PVD, you can request a bounty. In that case, I can invite you to the Paid Bounty program. You can then re-submit your finding and I can pay out the bounty there. It’s a bit inconvenient process, but it seems like this is the best BugCrowd can offer.
  • The priority levels are as follows. I’ll write the paid bounty range in parenthesis.
    • P1: Critical ($2,800 - $4,500)
    • P2: Severe ($1,000 - $1,400)
    • P3: Moderate ($350 - $500)
    • P4: Low ($150 - $175)
    • P5: Informational (no bounty)
  • We are also able to give a reward up to $10,000 for an exceptional submission
  • All of these numbers are coming from BugCrowd, and may change in the future.

Thank you @mhalttu I’ve sent you a reply via BugCrowd

Yes there are. SGG too busy gazing their collective navel rather than work on improving and fixing game.

Azlar damage to all enemies is greater than the 205%.

Cookie Settings