Suggestion: Incentivize Reports of Exploits and Bugs

atomicstorm

Slayer
Joined
Aug 21, 2013
Posts
8,974
Location
Blockchain
Avatar Name
MeLoveYou LongTime FiveDolla
The recent illumination of the issues of exploitation of the Yog Horror has been a massive blow to the community's morale, trust in each other, in the event system, and most importantly our trust in Mindark.

The frequency and regularity of various bugs being exploited to produce an unfair advantage over other players makes it appear as if Mindark does not care. This is further exacerbated by support cases going ignored or at least the impression that they are.

There are 3 primary reasons I believe people intentionally exploit bugs for personal gain:

Reason 1: FOMO. When people discover a bug and identify how it could be used to gain an unfair advantage, they likely presume that someone else has also discovered it and has been using it for a long time. These people feel that, unless they exploit the bug themselves, they do not stand a chance at competing with those who do.

Reason 2: Complacency. This is one of the consequences of the long history of bugs being exploited with minimal punishment to the offenders, and minimal (if any) reward to the whistle blowers. This causes people to think - well if Mindark hasn't done anything about it by now, I guess they approve it.

Reason 3: Scorched Earth. Personal gain no matter what the expense to others. This is unfortunately the mentality of a significant amount of people.

Whether people exploit bugs for one or a combination of reasons above, they have somehow weighed the risk vs. reward and decided that the reward outweighs the risk. In most cases, at least at an individual level, they are right. People who intentionally exploit bugs for a personal advantage at the expense of others are rarely punished. When they are, it is viewed as very light handed. Why have it in the EULA/TOS when you do not enforce it?

What can be done about it?

I propose a two-pronged approach to attach this problem.

First: sanctions needed to be placed against offenders of exploits. I am not saying permanently ban everyone who exploits for personal gain. The punishment should fit the crime AND be consistent. DannyO's punishment was a good start. Giving temporary locks and punitive skill reductions, especially when they are attributes, will likely result in a much higher weight being given to the risk side of the equation.

Second: Reward the reporters. The Yog Horror exploit is a prime example of the meticulous attention to details by some of the players. That is not one that most people would have figured out on their own. The people who figured out how to identify that bug clearly have a unique skill set. If those skills were applied in a positive context, then a positive change can occur. I also propose that a generous reward system be implemented for people who report bugs that could potentially be exploited for personal advantage. I also propose a reward system for reporting general bugs. A sliding scale between a few hundred PED to perhaps 25000 PED worth of Universal Ammo (or strongbox keys), awarded based on the potential severity of the bug, should be developed. (Take: If Mindark needs help on developing such a system, contact me.) This would create a race to report bugs. The people with the skills to identify these bugs would be highly incentivized to provide an in-depth, wide-spread, and multi-perspective QA service to Mindark and the community.

I believe these two simple measures are very reasonable. The punitive actions would provide a deterrence from exploiting bugs and the sliding scale reward system would provide a much needed high quality QA system, which obviously does not exist today, at a comparatively low cost.

If Mindark is not willing to invest in a QA system internally, they need to crowd source it.

The net effect of this system would be a substantial reduction in bug exploitation scandals, a significant and much needed improvement of the quality of the Entropia Universe platform, and an exponentially higher level of confidence in the integrity of Mindark, the event systems, the community, and Entropia Universe as a whole.

$5 out.
 
Considering how much bugs MA create per VU they will probably go out of business if they develop a bug reward system. Plus not to mention the former exploiters would find a way to 'exploit' bug reporting itself to get peds.

I do agree on concise and escalating punishments though. First offense. Temporary ban (depending on severity of exploit i.e how much gain the person got from it). 2nd offense. 6 months ban. 3rd offense 12 months. 4th Offense account termination. Something like that.

They just need to be very transparent when it comes to stuff like this. For example they stated how many players exploited already on the current summer mayhem. They should've taken punitive action against them (disqualification from event at the least). They should've also named them, so they can be shamed for their actions.

They also need to hire better coders. Invest in actual proper testers to find said bugs before they even get to VU.
 
Love this suggestion and as long as mindark is giving rewards that cant be withdrawn but instead have to be used/consumed this can never be expensive to them.
Why not make it a token system with a token trader and players can work over time collecting tokens for reported bugs/exploits until they have what it takes to buy what they want from the trader.


The important part however is that mindark acts uppon reportet bugs, theere needs to be something happening every week for players to get into the spirit/feeling that what they do is improving the game. You were able to fix yog horror in an hour - there is tons of bugs of a similar difficulty/work intensity to fix around the universe - plan an hour each day for bug fixing so you can display your progress to players each week. The added advantage will be that your devs really get to know your code and development speed increases in the long run.
 
Love this suggestion and as long as mindark is giving rewards that cant be withdrawn but instead have to be used/consumed this can never be expensive to them.
Why not make it a token system with a token trader and players can work over time collecting tokens for reported bugs/exploits until they have what it takes to buy what they want from the trader.


The important part however is that mindark acts uppon reportet bugs, theere needs to be something happening every week for players to get into the spirit/feeling that what they do is improving the game. You were able to fix yog horror in an hour - there is tons of bugs of a similar difficulty/work intensity to fix around the universe - plan an hour each day for bug fixing so you can display your progress to players each week. The added advantage will be that your devs really get to know your code and development speed increases in the long run.

That would be a great thing to see. Like 99% of bugs and possible exploits would be reavealed instantly by the players, 50% fixed, but still a gain for us the rest that dont know or dont wanna exploit them. And not the last for sure we would see many bots reported.
 
The main problem is, even if you submit a support case, MA closes them immediately and there is no way to follow up with them without making a new one, which will just be closed immediately again too.

We need a proper ticketing system so we know what bugs are acknowledged and only close ONCE they are fixed.
 
even if you find bugs and report them, they may still be around years later... and maybe even worse, MA pretending the bug didn't happen/doesn't exist...
 
Nice ideas.
A reward for reporting abuse of system would be a good idea. Reward for finding bugs, not sure. What is a bug, what is a feature? Too much room for interpretation on both sides. Rewarding with universal ammo would not do any harm to the system, but then perhaps pure crafters are upset?
But one thing not, no obligation to name exploiters. If they are catched and receive a ban it is enough. There is no need to pillory someone.
Sooner or later the community find out if they want to. Sure it leaves room for conspiracy, but from time to time I have the feeling that the community would be dead without that conspiracy stuff. What happened the last days might be a good example.
 
I think the recent Danny O punishment. Implied MA are prepared to strip players of over a decade of attributes. Maybe that was a one off. But blimey if the witch hunters run the show, sooner of later you will hang an innocent player from the nearest tree.

That was a field heal chip, not even a gun making extra income.

I dont want to be punished for an unknown bug. I log in, add pets and rings to my ava and shoot. Simple as that.

If anything we need clarity, on types of punishment. Even judges in the real world have set limits based on categories of crimes committed.

Plus we have no jury either. Worrying indeed.

Rick.
 
If I followed all the Yog threads recently closely enough, the YOG issue was reported to Mindark over 2 years ago, and the entropia raider auto hunt thing was reported to Mindark about 4-5 years ago... Mindark does not give two dung about exploits as long as the community does not send too many support tickets in on it... wish it was the other way around. In ancient days, they did give compensation to bug reporters, and now they've got a compensation channel in the thing you track deed roi on, so it's possible they could do more, but whether or not they do... that's up to them I suppose. When's the last time My posted on the forum?
 
I think the recent Danny O punishment. Implied MA are prepared to strip players of over a decade of attributes. Maybe that was a one off. But blimey if the witch hunters run the show, sooner of later you will hang an innocent player from the nearest tree.

That was a field heal chip, not even a gun making extra income.

I dont want to be punished for an unknown bug. I log in, add pets and rings to my ava and shoot. Simple as that.

If anything we need clarity, on types of punishment. Even judges in the real world have set limits based on categories of crimes committed.

Plus we have no jury either. Worrying indeed.

Rick.

Tbh it feels like that was some sort of publicity stunt from MA - to try and restore faith in them. Otherwise they would've taken more steps by now to punish those who exploited with yog pet on this years event already (like instant disqualification at least) and those in the past punitive actions. Not to mention that apparently the reload bug still works (just not on laser weapons now). So potentially people can be abusing it still as we speak.
 
Great post! Well worded, and well thought out.

I'm definitely in favor of a system that rewards players for reporting bugs, while punishing those that exploit them.

I would add that this game could benefit from investing into some anti-cheat software to go along with it.
 
Excellent suggestion from FiveDolla and one that in an ideal world would kill several birds with one stone.

As others have pointed out, in this imperfect universe we live in, MA's technical support almost makes a point of being as unsupportive and unreactive as possible.

From my little experience, I have opened a ticket about the Daikiba 10k stage 5 mission on RT, which does not award the promised tokens anymore and has got stage 6 disabled. To the best of my knowledge this is not a change announced in any VU, though I feel it might be related to recent accusations about botting on RT.
The point is though, this ticket is not about controversial issues, is about simple, basic game mechanics and yet after 4 weeks, I haven't received any reply one way or the other.
This does not bode well for any bug reporting issue system, I fear.

Alternatively, the community might consider introducing our own Code of Conduct, similar to the practices used in the software industry for vulnerability reporting and adopting a “responsible disclosure”.

In short, a player would report a bug to MA's Technical Support, and give them, say a week to acknowledge and come back with a plan. Should they not bother, the player would then publish a generic description of the bug on the forum. If after 4 weeks MA still haven't taken action, the player would disclose full details of the bug.

Throughout the period, the reporter would have full use of the bug/exploit (that's the "reward"), and once disclosed and available to the entire community, any benefit would probably decrease or cease to exist. It might also still work, not everybody can afford a yog horror at 10k, but at that point it would be considered accepted by MA and all, and we would get on with our game without pointing fingers at each other. This system would address both Reason1 (FOMO) and Reason 2 (Complacency). I am afraid there's no way to address Reason 3 (Scorched Earth).

Bottom line, if MA are happy with everybody using 55% reload, let's just all have it.

But back to $5's suggestion, I want to add my name to the list of strong supporters. Count me in!
 
Oh, I love this idea!

Just to get a little perspective on how that used to work, here are some posts and pictures.


http://www.entropiaplanets.com/thre...eady-ingame-since-a-decade.22660/#post-137419

Here is one screenie: more info on that thread link.

attachment.php
 
Last edited:
its a nice idea but we wont be getting something like this. ever.
for the same reason we didnt get a referral system. or for the same reason the exploiters arent perma banned. Mindark fear that they are losing money and go out of business. but they are too shortsighted to see that they lose more money on doing nothing.
 
Completely agree.. in fact, I suggested the same to them a few years back after (unfortunately) having to report a fairly large bug (it was big they fixed it the next day!)

But yeah if youncare about the game, incentivizing the players to police all corners of a RCE, could go a long way toward cleaning things up.

Nice initative!
 
Would be great, find a bug, exploit it for 2 years on an alt account, transfer the profits slow over the 2 years so as not to look shady, then report it and get a payday...what could go wrong???
 
100%+5$

Crowdsource is key.
 
Oh, I love this idea!

Just to get a little perspective on how that used to work, here are some posts and pictures.


http://www.entropiaplanets.com/thre...eady-ingame-since-a-decade.22660/#post-137419

Here is one screenie: more info on that thread link.

attachment.php

Good point, in that THE INCENTIVE TO REPORT AND BE REWARDED ALREADY EXISTS!... It's just very, very underutilized at the moment. They created the whole compensation thing, albeit due to incorrectly allowing the technician to do some oddball things, but since it's there, USE IT!
 
...
Otherwise they would've taken more steps by now to punish those who exploited with yog pet on this years event already (like instant disqualification at least) and those in the past punitive actions.
...

I`ve said it before, MA didn`t do anything and will not do anything.

They knew and allowed the exploiting because it was making money for them too (via rake).

Heck, some determined exploiters could even take MA to Court: "we (the players) reported the exploit, you (MA) allowed it for so long because it was making money for you too, now you ban us and want to confiscate our inventory??".
MA is now in a loose-loose situation because of their greed and their lack of professionalism (not considering ALL the implications of the exploiting).

This is why they can`t do anything, other then resetting some scoreboards...
 
Last edited:
I`ve said it before, MA didn`t do anything and will not do anything.

They knew and allowed the exploiting because it was making money for them too (via rake).

Heck, some determined exploiters could even take MA to Court: "we (the players) reported the exploit, you (MA) allowed it for so long because it was making money for you too, now you ban us and want to confiscate our inventory??".
MA is now in a lose-lose situation because of their greed and their lack of professionalism (not considering ALL the implications of the exploiting).

This is why they can`t do anything, other then restting some scoreboards...

That would be a difficult battle to win in court. It'd probably be far easier to battle both Mindark as well as the Planet Partners on the grounds of false advertising since there's multiple examples of that happening historically...

...

...

...

...

...

...

...

...

...

ek5w0kaqwjn2ecj6c61kgsobtvbluhu


but... uh, no need to go in to great detail on this front and have this thread closed just yet I suppose. :)
 
Last edited:
Not really necessary, people happily report others and gleefully watch them get in the slammer every chance they get. This applies to competitive environments anywhere. The only exception is when someone believes to be the only one who found out about an exploit and would not get caught using it too easily. Once a stage is reached where everybody thinks they have no chance unless exploiting it as well, it is already widely known and the platform operator overdue with doing something about it.

The only incentive needed is actually acting on reports. If it is true that it was brought to their attention already long ago but got ignored just because there wasn't a public scandal right away, then they are as much to blame as the expoiters. I asked in another thread to produce the support case reporting the Yog issue, if possible. If it's not true, then spreading the rumour and basing accusations on it amounts to slander. With all possible consequences.
 
The net effect of this system would be a substantial reduction in bug exploitation scandals, a significant and much needed improvement of the quality of the Entropia Universe platform, and an exponentially higher level of confidence in the integrity of Mindark, the event systems, the community, and Entropia Universe as a whole.

hellz ya

Considering how much bugs MA create per VU they will probably go out of business if they develop a bug reward system. Plus not to mention the former exploiters would find a way to 'exploit' bug reporting itself to get peds.

True, but I do think there are ways to mitigate that issue. Also the exploiters changing hats isn't the worst thing in my opinion, at least it would get reported quickly.

Love this suggestion and as long as mindark is giving rewards that cant be withdrawn but instead have to be used/consumed this can never be expensive to them.
Why not make it a token system with a token trader and players can work over time collecting tokens for reported bugs/exploits until they have what it takes to buy what they want from the trader.


I think only the most serious bug reports that are then verified should get a "spendable" reward. Basically the loss the game would have to soak from the bug would have to be serious to justify paying a player, and would have to be something MA didn't spot. While easy to moderate bug reports that "help" should be given a status symbol. Unique cloths with hard to acquire texture or colors of their choice, free avatar make over like character creation, all sorts of cool things they could do without spending a ton that players would appreciate.




Would definitely be tough to implement, but a merit system for people being good samaritans would be awesome. Although.... good luck getting MA to do anything like this :mad:
 
I think only the most serious bug reports that are then verified should get a "spendable" reward. Basically the loss the game would have to soak from the bug would have to be serious to justify paying a player, and would have to be something MA didn't spot. .... good luck getting MA to do anything like this :mad:


It probably costs between $75,000 and $150,000 (USD), per year, per programmer - after overhead.

Granted, they probably won't dedicate 'all' of a programmer's time to sniffing out bugs. So let's say they have an internal initiative to improve discovering and getting rid of existing bugs - lets call that dedicating 10% of 3 programmers time. That costs MindArk between $22,500-$45,000 per year, for great but not 'near-perfect' results. This is options #1. It's a good option. It's basic business.

How quickly would nearly 'every' bug in the game get found out if they put in place an 'event' style crowd sourcing reward system, lasting 6 month?

  • Reward 100 PED for the first report of 'every' bug - with documentation on how to get it to repeat,
    • $10 usd is about 15 minutes in real world labor costs
  • Reward 5000 PED for the first report of every 'serious' bug- with documentation on hot to get it to repeat
    • Yog bug has cost 'way' more than $500 in community relations
  • Reward 10000 PED to 10 random bug reports at the end of the event.
    • Online News Release: Entropia Universe is giving away over $10,000 to players, to find any remaining bugs!

Options #2:

Better results? Check!
Less cost to MA? Check!
Make player base happy? Check!
Possibly bring in new users & make news? Check!
Easy to implement? Check!
 
[*] Reward 5000 PED for the first report of every 'serious' bug- with documentation on hot to get it to repeat
  • Yog bug has cost 'way' more than $500 in community relations

pretty sure the crafting/mining bug during loot 2.0 has gotten MA a lot of money, which may be the whole reason it's still around after almost 3 years, despite being reported numerous times.

Reporting serious bug is one thing, getting MA to actually fix it is another... Even if you find the serious bug, MA may just deny it's existance and then you'll get no money.
 
Last edited:
pretty sure the crafting/mining bug during loot 2.0 has gotten MA a lot of money, which may be the whole reason it's still around after almost 3 years, despite being reported numerous times.

Which bug is this? I'm coming back from a two year break.

Reporting serious bug is one thing, getting MA to actually fix it is another... Even if you find the serious bug, MA may just deny it's existance and then you'll get no money.

True.

Having the bugs /exploits made public (1 week, maybe?) after being reported would also help that......Motivation works best when there is both a carrot and a stick.
 
Which bug is this? I'm coming back from a two year break.

Loot 2.0 was supposed to be hunting changes only, however every change to hunting (like base-return; multiplier frequency and size) carried over to crafting/mining as well, with the exception of bonus-shrapnell ofc.

So while loot 2.0 was supposed to be:
hunting: lower base tt-return, lower multiplier frequency and size, with bonus shrapnell to compensate

loot 2.0 ended up being:
hunting: lower base tt-return, lower multiplier frequency and size, with bonus shrapnell to compensate
crafting/mining: lower base tt-return, lower multiplier frequency and size

Despite the supposed to be hunting-only changes carrying over to crafting/mining as well, MA still claims that loot 2.0 was hunting only and that mining/crafting would have remained untouched.

Which begs the question, does MA even play their own game sometimes? or are they just doing it because of the extra profit the nerfed crafting/mining returns give them?
 
Last edited:
Considering how much bugs MA create per VU they will probably go out of business if they develop a bug reward system. Plus not to mention the former exploiters would find a way to 'exploit' bug reporting itself to get peds.

This is the incentive to Mindark to be smarter. It incentivizes them to do better because if they don't, they look bad and it gets costly. This proposal works in all ways.

So the question is to Mindark: Do you want to improve the game or are you good with how things are right now, despite the overwhelming complaints?

Also, I reported an exploit a few days ago. They have 1.5 weeks to fix it before I go public with it.
 
Good point, in that THE INCENTIVE TO REPORT AND BE REWARDED ALREADY EXISTS!... It's just very, very underutilized at the moment. They created the whole compensation thing, albeit due to incorrectly allowing the technician to do some oddball things, but since it's there, USE IT!

This is true, but it does not seem formal - which is ultimately the OP's assertion. While this may be a regurgitation of something that already exists, it needs to be brought back to life and put in Mindark's face.

All these "rewards" and "initiatives" are very loosely defined. It is inconsistent at best. You can report a bug or exploit and it sits in the support case that never gets looked at because for some reason this company thinks it is okay to have such poor SLA times. If this company REALLY cares about it's customer relations, they will improve response times and start being serious about improving their platform.
 
I`ve said it before, MA didn`t do anything and will not do anything.

They knew and allowed the exploiting because it was making money for them too (via rake).

Heck, some determined exploiters could even take MA to Court: "we (the players) reported the exploit, you (MA) allowed it for so long because it was making money for you too, now you ban us and want to confiscate our inventory??".
MA is now in a loose-loose situation because of their greed and their lack of professionalism (not considering ALL the implications of the exploiting).

This is why they can`t do anything, other then resetting some scoreboards...


To be honest, I don't think the mindark's data stores registers linked to all times when a person takes their pet (in and out) from their personal storage, nor the hunting downtime. So if MA cannot know what really happened, it cannot determine the culprit either.
 
Well. What about POE? (Or is it PotE?)
 
Last edited:
Back
Top