Announcing the Vulnerability Bug Bounty Program

i knew but statement above from Staff said suspended forever , thats why i asked.

This topic has been temporarily closed due to off-topic discussion. As noted earlier, only support can respond to questions related to individual accounts.

Iā€™ve re-opened the topic for now. Please make sure your post is directly related to the vulnerability bug bounty program. For example, discussing disciplinary actions is off-topic.

6 Likes

@Barrista. Sounds like bad boards to me. I have been beaten by a weaker team. Tiles are 70% of damage dealt. You get a bad board you get defeated or on a titan a low score.

3 Likes

@mhalttu I recently submitted a bug which you accepted yourself. Could you explain what the various levels P1-P5 requirements are and their monetary values. Feel free to PM me if you donā€™t want to discuss on the forum.

Thank you for the report! Iā€™ll answer here on a high level, and will contact you separately through BugCrowd.

  • Due to the way BugCrowd works, there are two programs: Paid Bounty and Public Vulnerability Disclosure Program (PVD). The former is invite-only and provides real-money bounties. The latter is open for public.
  • If you report a valid vulnerability through PVD, you can request a bounty. In that case, I can invite you to the Paid Bounty program. You can then re-submit your finding and I can pay out the bounty there. Itā€™s a bit inconvenient process, but it seems like this is the best BugCrowd can offer.
  • The priority levels are as follows. Iā€™ll write the paid bounty range in parenthesis.
    • P1: Critical ($2,800 - $4,500)
    • P2: Severe ($1,000 - $1,400)
    • P3: Moderate ($350 - $500)
    • P4: Low ($150 - $175)
    • P5: Informational (no bounty)
  • We are also able to give a reward up to $10,000 for an exceptional submission
  • All of these numbers are coming from BugCrowd, and may change in the future.
7 Likes

Thank you @mhalttu Iā€™ve sent you a reply via BugCrowd

Yes there are. SGG too busy gazing their collective navel rather than work on improving and fixing game.

Azlar damage to all enemies is greater than the 205%.

I know I shouldnā€™t feed a troll, but this comment doesnā€™t make any sense. The whole point of this program is about Small Giant paying a fair reward to learn about bugs that we have been unable to discover ourselves.

There are much larger companies than us who have a similar program. Surely a trillion dollar company like Apple doesnā€™t have any vulnerabilities? If you havenā€™t seen this list, itā€™s pretty eye-opening: About the security content of iOS 14.2 and iPadOS 14.2 - Apple Support.

Letā€™s try to keep the discussion constructive and on the topic.

12 Likes

Good luck with that :smiley:

2 Likes

Hi,

This was not meant to Troll you but rather was my first foray in trying to report an issue and replying to someone elseā€™s comment. Somehow my reply got tagged to your comment.

If only you were as quick to respond to my ticket than you are to so-call ā€œfeedā€ trolls, perhaps this game would be enjoyable again.

My point is not about the bounty program. Obviously, the community is in a much better position than the devs in finding issues, after all, we play this game to the fullest.

My point, however, is that there is a perceived reality that SGG is spending all their efforts on novelties and are slow at fixing and improving current product. Look at all the repeat issues reported and the timeline in fixing them.

Regards

This is really clear, and i understand thereā€™s an official route to report a bug to undoubtedly reward the first person discover it.
But i want to make a consideration that of course is born after the Morlovia bug.

I donā€™t know if @CertainHeredity was the first to report the bug in the official way, but it surely was the first with the guts to say out loud here on the forum something that many before him tried to exploit rather then tell to you.
As such, i really hope you properly compensate him.

At the same way, there will probably people not really seasoned with the forum or the bounty program,but that may discover a bug and rather then take the official path as fast as they can, come just here and open a topic about that.
Then a sharper user could simply steal that discover and report it himself as fast as he can trying to claim the price.

Really hope before doing so and reward only the faster, you take a moment to consider which effectly was the first person trying to help you.

Otherwise is just a rat race.

2 Likes

We rewarded both the person who first reported the issue to us through BugCrowd as well as the person who first reported it to the player support.

In the future, the plan is to reward the first reporter. However, the preferred channel is absolutely through BugCrowd. I am personally reading every vulnerability report but I cannot read every message sent to the player support.

Being the first person to report a vulnerability on the forums is not something I want to reward for the obvious reasons.

7 Likes

Perhaps the best compromise is to have players not familiar with BugCrowd report first through customer support ( for time stamp ) and have customer support send an email referring them to BugCrowd.

or if BugCrowd has current, or future, infrastructure for contacting a user if customer support were to forward the ticket directly to BugCrowd. I am not sure BugCrowdā€™s business model.

4 Likes

To clarify - Iā€™m a :woman:

No, they didnā€™t, but it is not important to me at all. I didnā€™t do it to get a reward - I wanted fairness.
i have sent videos and screenshots as well as a description of the exploit using the contact form that was linked to my post. I donā€™t know if I was the first one to do so. doesnā€™t look like that, but it doesnā€™t matter to me either.

The really bad side of the story is that a very small part of the community have gone really really mad.
The fact that i used the same LineID as my ingame nick and the forum nick made me easy to find.
I received threats, insults, pictures and videos with ā– ā– ā– , rape and violence fantasies from several hundred people via line. People who were blocked in the game sent me voice messages. They insulted me, screamed around and wished me an imminent death.
My line ID went through various E&P line groups and the group members were actively encouraged to insult and intimidate me.
People who were in an alliance with me were also victims of insults and harassment. We reported several users who were in the German speaking ingame-chats and insulted us.

For my protection and to protect the reputation of my alliance, I removed my forum avatar, deleted my line, renamed myself in the game and left my alliance - left my brothers in arms without a word. This whole situation really got me down and I hope that they wonā€™t find me again. I did nothing wrong. But others did. Maybe I can get a free rename without spending gems from SG - as a backup if they will find me again. That would be very very nice.

24 Likes

Wow, thatā€™s the price for coming out and do what itā€™s right to do. And nothing in return to mitigate it.
Surely not something encourage me to do the same. Anyone, i guess.

If i ever find something like this, iā€™m really troubled if itā€™s really worth report it.

From my part, maximum respect and empathy.

You and your friends donā€™t deserve this.

10 Likes

BugCrowd

Looks like SGG has a private BugCrowd area. Sort of like this forum software is run by Discourse.org for SGG

User ID

But given @CertainHeredity unfortunate experience, I would definitely recommend using a different ( or disposable) email / User ID.

Perhaps @mhalttu might mention that in the top post.

Hi @CertainHeredity, I am really sorry to hear that you have experienced inappropriate, and even toxic or threatening behavior from any part of the Empires & Puzzles Community. We find this absolutely deplorable and have a zero-tolerance policy towards harassment.

If you are the victim of or witness inappropriate behavior in our game, please contact us so we can act swiftly to take all appropriate moderation action. Please contact support using the in-game support button, you can find more information here.

As with all support requests, it is important to include as much detail as possible, such as exact player names, Alliance names, time and date of the abuse, and any screenshots you may have.

Unfortunately, any inappropriate behavior that occurs outside of the game and our official channels (such as Line chat) is beyond our control. I would strongly recommend that you immediately contact the Customer Support for whichever Communication App, Forum, or Unofficial Group that was used when the incident(s) in question occurred as quickly as possible and with as much detail as possible.

If you still feel the need to change your name in-game, please contact Support and ask for me in the ticket, or you may PM directly here and we would be happy to grant you a free name change.

24 Likes