These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Information Portal

 
  • Topic is locked indefinitely.
123Next pageLast page
 

New dev blog: Responsible Disclosure - Reporting Security Issues

First post First post
Author
CCP Guard
C C P
C C P Alliance
#1 - 2011-09-21 16:12:18 UTC  |  Edited by: CCP Fallout
CCP Sreegs, the chief of CCP's security forces, has written a dev blog on how to responsibly report security issues and make the world a better place. He also tells us a little bit about what's in it for those who do.

Check it out here and if questions arise, this comment thread is where you want to write them down.

CCP Guard | EVE Community Developer | @CCP_Guard

Spanking Monkeys
ZC Omega
Goonswarm Federation
#2 - 2011-09-21 16:14:57 UTC
yay, maybe first
ConstantinValdor
Science and Trade Institute
Caldari State
#3 - 2011-09-21 16:24:54 UTC
Plex for reporting a bot (that in turn is investigated and is warned/banned) = major help in the war against botting.
T'amber Anomandari Demaleon
#4 - 2011-09-21 16:25:08 UTC  |  Edited by: T'amber Anomandari Demaleon
..cough..

someone else can say it.

ps. is over 2 hours video footage of you dancing and singing to Rocky Horror Picture show with CCP Steegs while CCP Nova is projectile vomiting a security issue for CCP if not for those involved? If not, I'm sure its still worth a plex or two. Lol

www.shipsofeve.com

CCP Sreegs
CCP Retirement Home
#5 - 2011-09-21 16:33:27 UTC
ConstantinValdor wrote:
Plex for reporting a bot (that in turn is investigated and is warned/banned) = major help in the war against botting.


Reporting a bot itself really wouldn't qualify in this program. Reporting something like a new or privately created bot, or giving more valid insight into an organization with actionable information would. :)

"Sreegs has juuust edged out Soundwave as my favourite dev." - Meita Way 2012

Maven Deltor
Bad Sekta
#6 - 2011-09-21 16:49:04 UTC
Thanks for the updates, love them all.
Callic Veratar
#7 - 2011-09-21 16:57:47 UTC
I would like to see two new classes of petiton created:

- A Bug Petition, so that I don't have to leave the game, figure out where to go, created the bug report and flip back and forth to capture it in full detail. (Even better would be the ability to capture user input that triggers the bug.)

- A Security Petition, so that there's no question to where I go to report things. (Again, allowing me to log info through some form of capture mechanism would be great here too.)
Tork Norand
Perkone
Caldari State
#8 - 2011-09-21 17:17:20 UTC
A few reward options come to mind....

1) Skill Points for small things. Hell, this would work great for reporting bots (at 1,000 SP for each verified bot report, you may just introduce a new profession....) but for the "small things", I think SP would be appropriate.

2) PLEX, but in 1-week increments....not only the 30-day version.

3) For people who actually use AUR (meaning they ask for this reward type), a deposit into their AUR account. Since the items aren't game changing anyway, this would let those who want to use it to have a way to increase what they have now.

Just what comes to mind...

--Tork. CEO and Herder of Cats.

Orisa Medeem
Hedion University
Amarr Empire
#9 - 2011-09-21 17:19:23 UTC
I think one of the main problems is that a dev-blog only gets so much visibility, and only for so long.

If someone wants to report a security issue some six months from now there is some 95% chance he won't have read this blog (or any other blog from the security team for that matter), and even if he did it is quite possible he won't remember it.

That's probably why those four ways people try to raise security issues are so common.

The petition system is always there. You can create a petition from inside or outside the game.

I think promoting that "Exploits" sub-category to a category by its own would give it more visibility and, upon selecting it, the system could give the player better instructions of how to properly submit a security related issue. This would go a long way to ensure that the information reach the right people.

:sand:  over  :awesome:

Two step
Aperture Harmonics
#10 - 2011-09-21 17:23:42 UTC
Can you post CCP Soundwave's address so I can send him some spare Anime I have laying around?

CSM 7 Secretary CSM 6 Alternate Delegate @two_step_eve on Twitter My Blog

ORCACommander
Obsidian Firelance Technologies
#11 - 2011-09-21 17:29:25 UTC
name in lights?

but ya always a good policy to bribe those that could damage instead of giving them incentive to take advantage.
Sentient Blade
crisis atmosphere
Coalition of the Unfortunate
#12 - 2011-09-21 17:31:05 UTC
This dev blog is informative, but what it does not cover is CCPs response to those who may dedicate time to deliberately trying to identify bugs and security weaknesses, and what repercussions it may have upon them and their accounts.
The Mittani
GoonWaffe
Goonswarm Federation
#13 - 2011-09-21 17:35:05 UTC
A reliable source informed me that since Soundwave likes anime and manga so much, when the CCP office began playing 40k, he insisted upon being the Tau player. He just can't get enough battlesuits!

~hi~

Chribba
Otherworld Enterprises
Otherworld Empire
#14 - 2011-09-21 17:37:53 UTC
How about PLEX for making New Eden a better place as a working title.

★★★ Secure 3rd party service ★★★

Visit my in-game channel 'Holy Veldspar'

Twitter @ChribbaVeldspar

Tork Norand
Perkone
Caldari State
#15 - 2011-09-21 17:49:57 UTC
Chribba wrote:
How about PLEX for making New Eden a better place as a working title.


Informative, but I think it's a bit of a mouthful...assuming the part I underlined is the full working title....

--Tork. CEO and Herder of Cats.

malaire
#16 - 2011-09-21 17:55:46 UTC  |  Edited by: malaire
Sentient Blade wrote:
This dev blog is informative, but what it does not cover is CCPs response to those who may dedicate time to deliberately trying to identify bugs and security weaknesses, and what repercussions it may have upon them and their accounts.


Permanent ban of all your accounts on first offense of client exploiting.

from Current Botting and Exploit/Client Modification Policies - 12/5/2011:
Quote:

One other thing to note is that at ALL levels all actions are levied against all of your accounts.

Client Modification or exploiting – First Offense – Permanent Ban

New to EVE? Don't forget to read: The Manual * The Wiki * The Career Options * and everything else

Bugcheck
Israeli Gold Miners Union
#17 - 2011-09-21 18:06:59 UTC
A TL;DR would have been nice.

Only responsible way of reporting security issues is mailing security@ccpgames.com, not filing bugs/petitions. Be responsible and you may receive PLEX.
Zarnak Wulf
Amarrian Vengeance
Team Amarrica
#18 - 2011-09-21 18:07:24 UTC
Instead of PLEX can I get a BPO for a Frekki? P
Aineko Macx
#19 - 2011-09-21 18:16:55 UTC
malaire wrote:
Sentient Blade wrote:
This dev blog is informative, but what it does not cover is CCPs response to those who may dedicate time to deliberately trying to identify bugs and security weaknesses, and what repercussions it may have upon them and their accounts.


Permanent ban of all your accounts on first offense of client exploiting.

from Current Botting and Exploit/Client Modification Policies - 12/5/2011:
Quote:

One other thing to note is that at ALL levels all actions are levied against all of your accounts.

Client Modification or exploiting – First Offense – Permanent Ban

Unless this is changed people will be wary of reporting issues. It's not like people didn't learn from CCPs reactions... *cough*
ConstantinValdor
Science and Trade Institute
Caldari State
#20 - 2011-09-21 18:35:15 UTC
CCP Sreegs wrote:
ConstantinValdor wrote:
Plex for reporting a bot (that in turn is investigated and is warned/banned) = major help in the war against botting.


Reporting a bot itself really wouldn't qualify in this program. Reporting something like a new or privately created bot, or giving more valid insight into an organization with actionable information would. :)


No I understand that this doesn’t qualify for it. I also understand that CCP needs to make money and laying down the bannhammer on botters will severely impact CCPs revenue, while at the same time doing too little will anger a lot of people not botting (but probably wont cause as much of an impact to CCPs revenue as the former). So I understand that they need to maintain a sort of unspoken of balance around the botting issue, all im saying is that plex for bot reporting is a good idea to maintain that balance.
123Next pageLast page