Greetings, glorious testers!
Check out Alpha Two Announcements here to see the latest news on Alpha Two.
Check out general Announcements here to see the latest news on Ashes of Creation & Intrepid Studios.
To get the quickest updates regarding Alpha Two, connect your Discord and Intrepid accounts here.
Check out Alpha Two Announcements here to see the latest news on Alpha Two.
Check out general Announcements here to see the latest news on Ashes of Creation & Intrepid Studios.
To get the quickest updates regarding Alpha Two, connect your Discord and Intrepid accounts here.
Comments
It could be argued that in an MMO an "economy breaking exploit" could be as devastating as a security vulnerability in any other software and thus could warrant the same type of bounty program.
I do not see the problem in attracting talented exploit hunters if they are here for the money. They will be driven by monetary gain and thus will never sit on a bug/exploit for any length of time as someone else might have beaten them to the prize/bounty.
The filthy personality you are afraid of attracting will find the game regardless of any bug bounty program as they are here for other reasons. However, some of them might even be persuaded to join the light side 👍
-Karp
I mean outside professionals who can do black box stuff as well for example. Proper pen testing stuff.
Of those few games that have, I can't think of a single one that would have had a different outcome with a bug bounty system in place.
You seem convinced otherwise - give me an example of when there would have been a different outcome.
A system like this would only ever deal with small, insignificant bugs - which is why it isn't needed.
MMO players (especially those at the top end of their chosen gameplay sphere) are better at finding bugs than players that are there for the money.
I know this because I am one of those. I have reported dozens of bugs, some minor, some major in a handful of games - all of which were patched soon after.
This is also how I know for a fact that some developers introduce exploits in to the game to catch undesirable players. One particular developer gave me a personal heads up about a bug they were introducing, knowing that I would find it within hours of it going live. As a tool, the ability for developers to weed out these undesirable players (basically anyone that would exploit a bug rather than report it) is better for the game than a bug bounty system.
Again, the ONLY bugs that this system would uncover are those small enough that the player that is only there for personal gain considers to be not worth exploiting for greater gain. It is NOT a system that will uncover game breaking bugs - as these players would always take the option that has the largest personal gain.
This is not a system that has any value at all to an MMO developer, and it boggles the mind to think that anyone could think it would.
You want an example? Sure, i will give you one.
Archeage's Infinite Apex Bug/exploit. Apex was an archeage cash shop consumable item that was tradable and when consumed would give the user a certain amount of cash shop currency that would be otherwise untradable directly.
The bug/exploit: When using the apex item there was a 2-3 sec time for it to disappear from your inventory and for you to receive its cash shop currency amount. But when using an instance instant teleportation(mainly to or out of mirage island) between the cast time of the comsumption, the item would not be consumed but the cashshop currency would be received.
Consequence: The markets of all AA servers where flooded with cashshop tradable stuff which had their prices deflated real fast, stuff that was pretty important for the server economy and because it spreaded before the few that had the bug knowledge were dealt with it affected the price of everything else.
Result: The game economy was destroyed pretty fast, Trions response to it was even worse, mass ban of people that didn't even exploited forever tainting the game and the company name and a massive reduction of the playerbase. Even tho it was only one of the insane exploits that appeared later on.
Are you willing to tell me, that if that bug was reported through a bug/exploit bounty hunting system early on it wouldn't have changed anything?
Aren't we all sinners?
The absolute majority of them definitely wouldn't and would go against the risks, but here is the trick,
you only need a single one of them to be afraid of the risks and take the safe route to snitch it....
Aren't we all sinners?
If one person can snitch on a whole network ( I assume the innocent people in question received items from the exploit) then it is even less likely an exploiter would report it. Most likely the issue came to light when a non exploiter discovered the issue or the devs discovered the issue.
This applies without the bounty system though.
You would need to pay them more money than they can expect to make from it - which would not be the case.
And as pointed out earlier in this thread, a bounty system in an MMO would not be legally able to offer a monetary reward. In many (arguably most) countries, people would need to be considered either a contractor or an employee to accept money for what is essentially work.
This is why most of the bugs reported to companies like Microsoft and Facebook come from bug bounty companies/organizations, not from individuals. The companies pay the staff, and the bounties are the income that the companies make (among other revenue sources).
This system kind of falls apart if you try to go international with bounties to individuals.
So, the notion of a cash reward for bugs in an MMO is a non-starter, meaning we are discussing non cash rewards, which will not see people report bugs like the above.
WAY less likely without the personal incentive though.
Aren't we all sinners?
No it isn't.
This is why almost all bugs in MMO's are reported and fixed.
Sure, some are exploited a little before they are fixed, but most are not.
Those that are exploited before they are fixed are not likely to have that situation altered by offering money to people for reporting them. People either report bugs to make the game as good as it can be, or take the option that offers the most personal gain - which will always be exploiting the bug.
No one is saying minimal, and point of fact myself and he have been railing against the idea of it being some sort of frivolous title or costume or something equally worthless.
I hate to say it but the main key thing that prevents exploits from happening is having a great tester team you can trust. And not pushing out updates that haven't been put through the ringer. Bounty systems don't matter. I'll give you a perfect example cause being someone who worked as a scripter and programmer and also engineered different types of things when I got bored with WoW I actually turned to exploiting using some of my old skill set for hacking from older mmorpgs and building servers.
I first tried to be the good player by reporting bugs to Wow's development team. And that falls on deaf ears all the time cause if it doesn't show up as something one of there developers catch they ignore it till it becomes a problem. You also can be banned for reporting an exploit if they actually try it and it works. So who is gonna risk that. But aside from ethics of it lets talk about a real exploit that me an a friend found out.
I'm sure anyone who played old world wow remembers the script fuction which could be used to instantly log yourself out of game. It was useful in pvp cause you could log out when someone was hunting you and wait till it was safe or it was also used to sneak into unfinished zones cause you could walk through the warp out areas. This was pre- cataclysm. But me and a friend stumbled on an exploit with the auction house which would allow you to dupe items. See back then the character server and the login server had a 45-60 second delay in the saving of character data. Part of it was related to the servers being overloaded but also they hosted the servers not all on the same server as well. And when the server was overloaded the time window of data saves got even worse and it could take 1 to 2 minutes. So you could post a bunch of items in 40 seconds using a simple auction bot and use the script function to kick the character out of game and log back in and you would have the items posted in the auction house as well as in your inventory.
But being a good person originally I was like damn this is a huge exploit and I went to the GM's and they kept telling me that "dupe hacks don't exist". So I gave up and just started using it when ever I needed new rune orbs and BoE copies of things. I used to post a lot of other exploits because I was a member in some communities and wow had tons of mechanical failures with quests. Like dropping a quest mid way to get free gold and EXP.
And I used to work on one of the famous bots of the time with my friend who was a head developer but I only wrote the AI system for it cause my actual programming skills leave much to be desired. But the friend I did a lot of work with ended up quitting and I also decided I wasn't gonna play wow anymore. So we gave blizzard staff one more chance to listen to us about the dupe hack and threatened if they don't take it seriously we would post it on elitepvpers. In which we got an invitation by a gm to craft some GM items on the auction house and both of us got perma banned. And now you have the "Your body stays in game for 2 minutes" to let the character server save your data to prevent dupe hacking on wow.
I know about 2000 wow players just ran over to wow to test if it still works but your long out of luck.
Bottom line though don't hack and ruin a good game. But also development team don't ignore players who actually give a damn and want the game to be a great game. I want to see ashes of creation hit #1 and be the best game for the next 20+ years like Ragnarok Online.
But too the reason bounty systems don't work cause the reward has to out weigh the exploit. Back then you could sell wow gold for enough money to quit your job if you where that kind of person and wanted to go through that. Same thing with botting if people make 100 a month per bot per person they wouldn't want exploits used to be reported. Anything I catch I'll be reporting reward or no reward.
All antihack systems suck to a certain degree. Nothing is ever 100% safe from hackers. Wow's warden that isn't public is trash just like it was back then. But we could talk for hours on the subject of how to protect the game and it wouldn't really get us anywhere. The main thing is the more quests that need specialty programming the less bots can do or the longer it takes to program them to be able to do them.
Edit: side note to ^ when the content is hard bots have a hard time as well. If questing is hard they go to monster farming. If monster farming is hard and quests are hard they look for something else.
College Lessons
I read your post, but the only part that I have to address is this bit. If you read through the thread or just the first post, you'll see that I explicitly mean cash. And while this may seem outrageous, please consider that this is a subscription-based MMO where even a few hundred people quitting for good has major knock-on effects. As myself and a few others in this very thread have also pointed out that it really just takes one major exploit, one bad response from Intrepid to have a bunch of yellow journalists running around ruining the image of the MMO. Further, even if the response is in line with what veteran MMO players expect (a rollback and a fix) should the exploit become well known - it still doesn't solve the problem of the reputation being soured. This is why a bug bounty system must be implemented because it preys upon the inherent greed in most people (or perhaps desperation). You and maybe even Intrepid may look at several thousand dollars for a duping/invincibility/etc. exploit as excessive but all it takes is the very simple math of weighing the number of subs just quitting altogether and the potential lost revenue from people who might have played but no longer will since it's "that game with the exploits." Something like a few thousand dollars (given the hopeful rarity of such bugs) is a drop in the bucket if you just step back and look at the reality of the situation for two seconds.
Well I'll give you another example :https://hackerone.com/riot?type=team riot has a post up there based on people finding exploits or bugs and offers money. But even still there's thousands of bots for riot based valorant not to mention exploits such as aimbot, wall-hacks. Getting offered 100k for a hack or bot that your making 100 per person and you have 50,000 users your taking a huge loss if you report yourself. So they are asking someone who is making millions of dollars to report a bug or kernel exploit for 100k. Rockstar is another that does the same thing with its games just not for as much money. How is anyone gonna report an exploit that they are gonna pay even less for. 25,000 for a SQL inject>? don't make me laugh cost more per hour to get a developer to work on your database then the amount to pay out for a bug that could let someone inject database entries.
I'm not saying that you can't try these methods but honestly they don't work. The average player is nothing more then a script kiddy and does nothing but copy others codes or can find basic bugs. Its people who have worked in some line of programming, engineering or hacking that can find these types of exploits. People who know how to use ASM and C++ that's who your fighting. Not the average person who knows how to read email and copy the hack.exe and post it into game folder and hit crack.
And bottom line is most game developers know this too cause they have engineers and programmers working on the game. But everyone is human and we all make mistakes. If we put that call for variables on the wrong line of course we are going to cause a bug that someone could get some gold and exp. Mostly a matter of finding these before they go live. But also testing wise most people don't run through the game all over unless they are told to.
College Lessons
I get what you're saying, but this isn't the focus of the discussion. The focus isn't on guys who are selling packages like this. That's well beyond what the intention is because those people will never come forward, as you and I know. The goal is to focus on the people who are exploiting extremely basic, but extremely harmful bugs. You don't need anything you just mentioned to introduce unintentional iframes into a game. You don't need that to dupe. You don't need that even do something like flying. All it takes is the know-how from previous games and some thorough probing where the Q&A team may have failed. Further, as the first page on this thread shows there have already been instances of people who are playing the Alpha 1 that attempted to (and if that's just an attempt this means they're definitely those who succeeded at obscuring their findings) hide exploits but were ratted out.
So, the issues with a bug system are that in many countries it is simply not compatible with the law, which is why most bug bounty programs have companies or organizations as the bulk of the participants. If you are not aiming the system at people that are already in such companies or organization (which you say you are not), then you are excluding the possibility of cash rewards.
Getting paid for finding faults in a product is work, in a legal sense. As such, anyone getting paid for finding a bug is either an employee or contractor.
You need to address this if you want people to think you are serious about your idea.
Then you need to address what Intrepid can do in relation to setting up situations in which to catch exploiters in order to ban them. While I am unsure how common a practice this is, I know it is one that some companies do, and often results in hundreds of account bans for exploiting - far more effective than a bug bounty system imo.
These two systems are not compatible - a developer can only chose one. You need to address why a bounty system would be better for Intrepid than the alternative, which you have so far just ignored (in part because you are likely the target of such a system).
Then you have the practical side of this to address. If a player is able to make thousands, tens of thousands or even hundreds of thousands from a bug, how much do Intrepid need to offer them to report it? If Intrepid offer a bounty based on the severity of the bug and someone finds a minor bug with no immediately obvious means of exploitation, why would that person not just sit on said bug until a means of exploiting it for gain shows up, and at that point why would they then report it?
At best, the bugs this kind of system would find are unimportant and insignificant, and would have been reported by the general population at some point. It is highly likely that the bug you talk about in the OP was known about by the developers, but they just never got around to fixing it, as it was not important enough.
Yes, it is!
Yeah, almost all bugs in MMO's are reported and fixed, sadly the majority of times its pretty late and people already abused and took all the advantage they wanted from it.
Depending on the bug/exploit "potential" there will be some that will take the offer as long as there is an incentive for it, if there is no incentive they will never report it for free, the bug/exploit and the report/fix will take longer and possible have more destructive potential..
Aren't we all sinners?
The bugs that make it through to the live game are very much the minority.
The bugs that a bounty system could even potentially be used for are bugs that are not found in testing, that are impactful enough to be worth the cost, are not so impactful that multiple people will find them, and are also not able to be exploited for personal gain.
I honestly can not think of a single bug in any game I have played that fits these parameters. Even the example you provided from Archeage fails at two of them.
World of warcraft never would rush to fix things cause they just felt "not enough people are exploiting them for it to be a big deal" but as it got posted on multi hacking communities and tons of players where abusing it then they would fix it and ban all the players who used it. But it was just account ban so hackers just buy a new account and start playing again.
When I used to run game servers we would dish out hardware id bans and would use CPU since modifying a CPU's ID can potentially brick the system. That's really the main way to get rid of someone. Resetting MAC address is childs play for most people and hard drives are easy. Archeage used to do MAC address and hard drive ID bans for people using speed hacking which was cause of cryengine makes you want to cry as a developer.
But honestly its more profitable for the game devs to just do it wow's way people have to buy the game again, buy the sub all over making more profit for the developers. And the cycle continues.
All of these types of things get brought up in every game that exists with potential for hacking. Its nice to have dreams of a hack free game but its not reality.
You can CPU id ban players, Have systems that detect macro's, detect speed hacks, have catchphrases to check player activity. But too then you gotta think about accidental bans. What you don't know about is when someone gets banned by mistake. A antihack program accidently bans 2000 people by mistake or your pc is laggy and you end up teleporting which triggers the speed hack detection and you get banned. or the macro is just the speed of your normal game play and you get banned for not doing anything. Or your antivirus gets you banned because it was scanning the memory. You can look at almost every antihack system made by top producers and pick some kind of annoying problem. Gameguard is hot garbage on a sunny day its banned so many people by mistake.
College Lessons
I also think it is a good idea to have a bounty program that offers cash rewards for game-braking or economy-braking exploits.
I agree with @Noaani that bounty programs will not get people to report exploits if they are making more money selling that exploit, than they are rewarded as a bounty. But lets hope that a honeypot system will catch most of those people.
-Karp
Then, you're part of the problem. Shame on you and your friends.
I don't know how effective a bounty system would be. A lot depends on implementation obviously. No matter the choice there, I think gamifying the bug reporting system might work. Some sort of system where the QA team receiving the bug reports grade them as useful or useless, and if it's a brand new bug the player has found, or a known bug the player just confirmed.
I think it would create a positive feedback loop, where the players can see the report as received and read, and not just disappearing into a void. If they also get quick feedback from the QA person, with a quick rating system and perhaps some common options like "need more details", "lacks steps to reproduce bug" and such they can check off.
Tie the whole thing into some titles players can achieve. Maybe some emotes/dances/cosmetics. The more quality bug reports they write, the more they get.
If a bounty system with real cash is implemented, it can be tied to the above system too.
I want a Superman pose, an Usain Bolt victory pose, and a Christopher Walken Weapon Of Choice dance.
Agreed. Bad report systems just make it feel like your reports are going straight into the shredder.
That said, almost all serious bugs I have found and reported in the past I e-mailed directly to developers/producers.
You have to tie the system to in game time though and not real world time. So you can't just log out and avoid the penalty. If you lose to bounty hunters of this kind then you have a high chance to lose equipment in your inventory and equipped. Not 100% like corrupted though. Just enough to scare the shit out of you, but not enough to guarentee a loss of progress.
U.S. East