| Pages: 1 [2] 3 :: one page |
|
|
| Author |
Thread Statistics | Show CCP posts - 24 post(s) |
Zhilia Mann
Tide Way Out Productions
12
   |
Posted - 2011.09.21 20:38:00 -
[31] - Quote
Three positive dev blogs in a row and in under a week. Ok, I'm convinced this whole thing isn't dying just yet. So far so good. |
Sered Woollahra
No Fixed Abode
LEGIO ASTARTES ARCANUM
1
|
Posted - 2011.09.21 21:01:00 -
[32] - Quote
Tork Norand wrote:A few reward options come to mind....
1) Skill Points for small things. Hell, this would work great for reporting bots (at 1,000 SP for each verified bot report, you may just introduce a new profession....) but for the "small things", I think SP would be appropriate.
2) PLEX, but in 1-week increments....not only the 30-day version.
3) For people who actually use AUR (meaning they ask for this reward type), a deposit into their AUR account. Since the items aren't game changing anyway, this would let those who want to use it to have a way to increase what they have now.
Just what comes to mind...
I like this suggestion, of different levels of rewards depending on the severity of the issue discovered. Other parties do this as well: Google for instance has a policy of paying between 500 and 1337 USD per Chrome bug found according to this blog entry: http://blog.chromium.org/2010/01/encouraging-more-chromium-security.html
And Facebook, whose normal bounty is 500 USD per bug found, has paid up to 5000 USD for single bugs as they mention here https://www.facebook.com/notes/facebook-security/updates-to-the-bug-bounty-program/10150270651335766.
And although slighly OT, the idea of rewarding bot hunting with skill points or AUR sounds very interesting too. A new profession indeed.. |
Manfred Sideous
Body Count Inc.
Pandemic Legion
4
|
Posted - 2011.09.21 21:05:00 -
[33] - Quote
Screegs the only security hole I could find was your anus on our last date.
Recommend buttplug |
darmwand
wiremaniacs
0
|
Posted - 2011.09.21 22:39:00 -
[34] - Quote
Quote:That's pretty much essentially what we'd consider enabling, but as you so eloquently pointed out there are significant moving parts that need to be coordinated in order for that to happen, which is why I haven't firmly committed to it.
Sounds interesting. Or at least allow people to easily get permissions to poke around a little, basically a mechanism where I could say "I'd like to do some weird things to your forums and, if I find anything, I'll report it back to you. In turn, you won't ban me for trying" would be cool.
That said, I'm glad you are trying to get the community involved. Nice devblog. |
Manfred Sideous
Body Count Inc.
Pandemic Legion
6
|
Posted - 2011.09.21 23:33:00 -
[35] - Quote
Screegs
YOU BEEN HAZED! |
|
CCP Sreegs
C C P
C C P Alliance
101
|
Posted - 2011.09.21 23:44:00 -
[36] - Quote
Manfred Sideous wrote:Screegs
YOU BEEN HAZED!
stop hazing me man |
|
|
CCP Sreegs
C C P
C C P Alliance
101
|
Posted - 2011.09.21 23:49:00 -
[37] - Quote
darmwand wrote:Quote:That's pretty much essentially what we'd consider enabling, but as you so eloquently pointed out there are significant moving parts that need to be coordinated in order for that to happen, which is why I haven't firmly committed to it. Sounds interesting. Or at least allow people to easily get permissions to poke around a little, basically a mechanism where I could say "I'd like to do some weird things to your forums and, if I find anything, I'll report it back to you. In turn, you won't ban me for trying" would be cool. That said, I'm glad you are trying to get the community involved. Nice devblog.
The idea of whitelisting is certainly something I'd take into consideration, but I do have concerns about availability of services in that scenario. Something else I've considered to ease the burden is rotating services, which can be difficult due to interdependence, and running contests or something. Really this is exactly the type of feedback I'm hoping to obtain.
I really want to establish something that can harness the community, but I also want it to be interesting and worth everyone's while. I really don't just want to be like "Test crap is up" then a week later "ok I updated the list of guys here's your gold star". I want to facilitate engagement and a sense of ownership, but also give people a chance to contribute to something they enjoy and in some cases further their education. Our community has a ridiculous number of security professionals and security professional-to-be's. |
|
Ubee Rubiks
Caldari Provisions
Caldari State
0
|
Posted - 2011.09.22 00:53:00 -
[38] - Quote
Sorry to detail this thread a little bit but it made me wonder, if reporting forum security in the petition system does not get sorted to the right people in a speedy manner then what happens when someone petitions for a stolen account? Does that get sorted and investigated in the same way? |
Blazde
4S Corporation
Morsus Mihi
0
|
Posted - 2011.09.22 05:36:00 -
[39] - Quote
Great initiative that's very needed. I'll cover some of my worst experiences reporting bugs in EVE and why I became so disillusioned with it I wouldn't even report a serious security vulnerability because it's a clear waste of time. Not all of this is security related and it's not clear how much you consider ingame exploits 'security' stuff, but I did always prioritise security bugreports anyway, and just perhaps if you make a success of the security stuff you can use it to trigger fixing the wider bugreporting problem. Edit: And sorry it got really long, this is mostly my entire reason for becoming a bitter CCP-hating vet ^^ and you're the first dev I've seen even acknowledge the problem in 6 years so maybe my rant can help 
Incentive wise I think the most important thing to begin with is convincing people submitting the bugreport has any effect at all and is worth their effort. This goes most quality bugreports that take time to make which is probably why the bugreport system is flooded with low-quality no-effort, frustrated "You guys are idiots the whole thing is broken" type reports atm (and I can't help noticing you basically confirmed devs don't read bugreports because it's not worth their time)
So that means:
1) The report isn't rejected or important details edited out of it by a bughunter who doesn't understand it. [email protected] sounds promising but still if there is any kind of screening then feedback on that is needed. At least under the current system if a bughunter edits your report you get to see how and if they've royally screwed it up you can reedit and explain where they went wrong. Ideally I think a special security category in the existing bugreporting system that explicitly bypasses bughunters and goes straight to security-conscious devs (but otherwised functions the same for report feedback) would be best
2) The problem must be actually fixed reasonably quickly (not incorrectly filed under the 'UI related - ignore' category forever). There's a knock on effect here: not only is it disheartening to spend effort reporting a problem and it not be fixed but also if you know reported problems often aren't fixed then the chances are much higher the problem you're about to report has already been reported by someone else, potentially years ago - so why waste time reporting it again
Way back in 2004 I reported a whole clutch of security-related problems. Mostly it was a satisfying experience (the most serious server-crashing bugs were fixed very fast and I dodged a deserved perma-ban) but 5-6 years later I learnt two of those exploits (related to the directional-scanner) hadn't been fixed and were being used fairly widely in client hacks. I had my local CSM rep raise it and he got zero feedback. They may or may not be fixed now - I don't know - but after spending time investigating, writing-up and chasing-up obviously I stopped caring
3) Some reasonable feedback on whether the report was useful. Some people might like a quick mention in the patch notes which should be easy enough, but even a quick one-line private evemail/email saying 'thanks - your report helped' if that's actually the case, from the dev who fixed it would be awesome. If 100 people report an obvious bug then the current bugreport feedback is fine, but if 2 people's reports were absolutely instrumental in it getting fixed they deserve to know that so tell them that and give them the warm fuzzy feeling of knowing they made a difference, so they can do it again
Couple of years ago I set out to investigate the huge descyncing that was happening at the time. It was already a 12 month old problem that was becoming worse as capital fleets grew in size and was disrupting every op often causing lost capitals (that never got reimbursed even under the pre-Dominion policies, GMs often blamed client-lag). Pretty quickly I had a reproduction case but knew it would be a lot of effort to refine it and write it up properly - this is important btw: investigating bugs is fun (for some of us), writing them up is tedious. So I poked some devs and BHs in #eve-chaos to see if they already had a reproduction case, fairly sure they must because it was obvious. The only dev I got a response from said he couldn't talk about the current status of bugs in case what he said was spun by players as a promise - something like that, it was unhelpful anyway :) A helpful BH (these are rare!) lacked access to check. However another player said he had reported desync with a solid reproduction case so I dropped it for a few months. When it still wasn't fixed given it was a well-known bug with reproduction I figured CCP were just being lazy so pushed Vuk to raise it on the CSM, even helping write some of his campaign material specifically about desync. At the CSM summit they said they had no reproduction case and would I submit one, so I went to work writing up the case and motivated by the fact the devs had got nowhere in 18 months also reverse-engineered the heck out of the client and pin-pointed the most major cause of the bug. By now it was dozens of hours of effort, a lot of it was fun of course or I wouldn't have done it, but some tedious and I submitted the report happy that I'd worked to fix a serious bug in a game I loved. A couple of months and an expansion later it still wasn't fixed so I poked through the CSM again and got told it'd been deprioritised in the rush to expansion
... |
Blazde
4S Corporation
Morsus Mihi
0
|
Posted - 2011.09.22 05:38:00 -
[40] - Quote
...
A long time later it was eventually fixed, however then a devblog appeared telling in excruciating detail how this long-running difficult bug had been squashed by the extreme determination of our awesome CCP devs. Apparently a former-bughunter (then dev) had discovered a reproduction case and they'd gone on a difficult journey over many weeks to discover exactly what I'd reported 6 months earlier (and then a little further and actually fix it and quite a bit further to fix related issues). I don't doubt the devs put a lot of effort into fixing it and I personally didn't want a public mention especially not in a devblog, but it was hugely insulting that there was zero reference to player bugreports (and I'm sure there were plenty on the issue besides mine). Either the devblog was fictional or my weeks spent on the bugreport were wasted because it was never read by the right people and they had to duplicate my effort (not just wasting my time but wasting valuable dev resources)
Either way it was a monumental disincentive to ever report a bug again, security or otherwised. The worst thing is desync still exists and with plenty of experience, leads and a custom tool I could have helped fix more of it with just a little technical feedback to avoid investigating dead-ends and some indication that the effort was worth spending at all
Other stuff that might help:
Reimbursement - There was a 'decloak-in-warp and gain mass to bump stuff violently' exploit a while back. Again I reported and 6 months later it was still unfixed when a corp-mate lost a titan over it. It was stolen rather than destroyed which made it a difficult/impossible reimbursement case but I think in similar cases where reimbursement is at least possible then a bugreport related to the issue that caused the loss should influence the reimbursement. I lost a nid to the desync and if a dev ever approached me about a 'reward' then reimbursement of it would have been very appropriate. Another non-security example that comes to mind is ships dying >15 minutes after log off which I could have gotten a token-Devoter reimbursement over. For me at least the ISK-value is irrelevant but the acknowledgement from CCP that bugs in EVE probably caused the loss and that instead of whining in a petition the player set out to solve the bugs and get them fixed is. Spending the bugreporting time making ISK instead would have covered the loss a lot quicker, so reward that choice. And players are already most motivated to report bugs that affect them directly in a negative way so reversing that affect where possible as a reward seems like a no-brainer
Assistance in investigating - In the past I've tried to get help from BHs to spawn items or move characters and been told they're not allowed to, even when it's very clear that it's for investigating bugs. Other players have had better experiences but at the least it could be improved. I even applied to the BHs to try to get the abilities myself while following up the desync, but got rejected because (apparently): Bughunters are primarily filing-secretaries for bugreports and saying you actually want to hunt bugs on your application will hurt it. If I could have just gotten an extra account or two on Sisi, or even just a couple more supercaps and some fast-anchoring test towers it would have been hugely time-saving
Game mechanic exploits - I've always been nervous of submitting exploits to the bugreporting system because they will get seen by unaccountable player-volunteers and as a result very possibly exploited by enemy alliances (especially when the problem isn't fixed for 6+ months). There is a perception that using exploits in EVE is intentionally part of the metagame and they don't get fixed until they're widely abused, allowing those that discover them to benefit from them. Back in the day the F11 deep-safespot bug was considered treasured knowledge and CCP didn't rush to fix it or ban it's use. At the other end of the scale the ferrogel exploit was obviously considered much more serious. Somewhere in the middle is a grey area and if your exploit falls in that area you need to be able to contact a dev not a player-volunteer (devs might leak the info to their player-friends too of course but their job is on the line so it's less likely)
gl |
|
|
Davelantor
The Resistance Movement
24
|
Posted - 2011.09.22 07:44:00 -
[41] - Quote
3 DEV blogs in 3 days ... I am so happy .... i think now i will stop killing for today ... |
Florestan Bronstein
United Engineering Services
50
|
Posted - 2011.09.22 10:04:00 -
[42] - Quote
CCP Sreegs wrote:Posting on the forums about it - This is also a bad idea. A really really bad idea as it is essentially an open disclosure, which leaves the system vulnerable to exploitation via the detailed method for the window it takes us to notice your post on the forums.
not like the system is already vulnerable to exploitation before the vulnerability is discovered & reported, amirite?
I don't have a set position on responsible vs immediate disclosure but I think it needs to be acknowledged that while immediate disclosure may increase the probability of the vulnerability being actually exploited it also tends to minimize the time that the system is vulnerable (by applying maximum pressure to the developers) and gives users the ability to take precautions much faster/earlier than any company could issue them an advisory.
The vulnerability does not start to exist when it is reported for the first time - if anything it becomes much less threatening once it has been reported and is known about (as users can then start to take precautions/use workarounds). |
Florestan Bronstein
United Engineering Services
50
|
Posted - 2011.09.22 11:23:00 -
[43] - Quote
CCP Sreegs wrote:Filing a bug report - This suffers from a similar malady to the first. A lot of information comes into both of these systems and we wouldn't be doing anyone a service by spending our days weeding through bug reports.
Assume I experience a bug "visiting website xyz in the IGB does sometimes make the browser "hang" (have to restart client to fix this) and leads in rare cases to a BSoD".
I file a bug report describing this behavior and expressing mild annoyance at CCP for releasing such a shoddy product, the bug gets verified by volunteers or CCP staff, gets assigned to CCP's IGB team, gets prioritized ("only one website of over 9000 is known to cause this issue, telemetry says only three users experienced client crashes due to it in the last month") and some CCP dev will grab the bug report and look into it whenever he gets around to doing so.
My guess would be that many users experience glitchy behavior due to accidentally triggering vulnerabilities and (if you are lucky) report it as a bug without thinking of it as more than a harmless but annoying glitch.
Shouldn't there be some process of screening incoming bug reports for signs of potential vulnerabilities and fast-track those that might point towards a security issue? |
|
CCP Sreegs
C C P
C C P Alliance
102
|
Posted - 2011.09.22 12:07:00 -
[44] - Quote
Florestan Bronstein wrote:CCP Sreegs wrote:Posting on the forums about it - This is also a bad idea. A really really bad idea as it is essentially an open disclosure, which leaves the system vulnerable to exploitation via the detailed method for the window it takes us to notice your post on the forums. not like the system is already vulnerable to exploitation before the vulnerability is discovered & reported, amirite? I don't have a set position on responsible vs immediate (full) disclosure but I think it needs to be acknowledged that while immediate disclosure may increase the probability of the vulnerability being actually exploited it also tends to minimize the time that the system is vulnerable (by applying maximum pressure to the developers) and gives users the ability to take precautions much faster/earlier than any company could issue them an advisory. The vulnerability does not start to exist when it is reported for the first time - if anything it becomes much less threatening once it has been reported and is known about (as users can then start to take precautions/use workarounds).
I disagree with you completely. While you may personally have the capacity to react the average user may not.
If the developers respond responsibly then there's really no point to disclosing openly immediately. There are certainly many documented cases of developers of various applications not reacting to security notifications in time, what we're trying to enable is a framework to prevent that.
:edit: In the absence of the developer actively shirking their responsibility the claim that they may potentially do so is dubious. One can't simply go through life using assumptions about how people or companies may or may not react to a situation as the basis for their decisions, which seems to be the crutch the most extreme full disclosure advocates cling to. |
|
|
CCP Sreegs
C C P
C C P Alliance
102
|
Posted - 2011.09.22 12:09:00 -
[45] - Quote
Florestan Bronstein wrote:CCP Sreegs wrote:Filing a bug report - This suffers from a similar malady to the first. A lot of information comes into both of these systems and we wouldn't be doing anyone a service by spending our days weeding through bug reports. Assume I experience a bug "visiting website xyz in the IGB does sometimes make the browser "hang" (have to restart client to fix this) and leads in rare cases to a BSoD". I file a bug report describing this behavior and expressing mild annoyance at CCP for releasing such a shoddy product, the bug gets verified by volunteers or CCP staff, gets assigned to CCP's IGB team, gets prioritized ("only one website of over 9000 is known to cause this issue, telemetry says only three users experienced client crashes due to it in the last month") and some CCP dev will grab the bug report and look into it whenever he gets around to doing so. My guess would be that many users experience glitchy behavior due to accidentally triggering vulnerabilities and (if you are lucky) report it as a bug without thinking of it as more than a harmless but annoying glitch. Shouldn't there be some process of screening incoming bug reports for signs of potential vulnerabilities and fast-track those that might point towards a security issue?
In your example you directly state that the bug simply looks like glitchy behavior. In a world where a potential security (or not) vulnerability could mimic any behavior how would you propose this screening should work? |
|
Andski
GoonWaffe
Goonswarm Federation
58
|
Posted - 2011.09.22 13:15:00 -
[46] - Quote
hey cool now whoever manages to figure out the Ev0ke Cheetah gets a multibillion ISK bounty and a PLEX!!! |
MailDeadDrop
Rage and Terror
Against ALL Authorities
13
|
Posted - 2011.09.22 22:07:00 -
[47] - Quote
CCP Sreegs wrote:All code that is written is peer reviewed and subject to rounds of internal testing. Prior to publication of the code, a reputable third party performs a vulnerability analysis of the codebase that will be published.
Given how things played out with the first release of the new forums, I can conclude one of several things:
1. The procedures (above) were not in place at the time, and thus the peer and 3rd party reviews did not occur.
2. The procedures were in place but were not followed.
3. The "peers" and "reputable third parties" were incompetent.
4. The peers and/or 3rd parties reported the blatant security problems but CCP chose to do nothing.
Care to tell us which it was?
MDD |
|
CCP Sreegs
C C P
C C P Alliance
102
|
Posted - 2011.09.22 23:03:00 -
[48] - Quote
MailDeadDrop wrote:CCP Sreegs wrote:All code that is written is peer reviewed and subject to rounds of internal testing. Prior to publication of the code, a reputable third party performs a vulnerability analysis of the codebase that will be published. Given how things played out with the first release of the new forums, I can conclude one of several things: 1. The procedures (above) were not in place at the time, and thus the peer and 3rd party reviews did not occur. 2. The procedures were in place but were not followed. 3. The "peers" and "reputable third parties" were incompetent. 4. The peers and/or 3rd parties reported the blatant security problems but CCP chose to do nothing. Care to tell us which it was? MDD
Yeah let me get right on that.
|
|
MailDeadDrop
Rage and Terror
Against ALL Authorities
13
|
Posted - 2011.09.22 23:14:00 -
[49] - Quote
CCP Sreegs wrote:MailDeadDrop wrote:CCP Sreegs wrote:All code that is written is peer reviewed and subject to rounds of internal testing. Prior to publication of the code, a reputable third party performs a vulnerability analysis of the codebase that will be published. *snip* MDD Yeah let me get right on that.
While I'm not exactly pleased with the tone of your reply, I'll have to say I am glad you did reply. Really.
So maybe my initial posting was more snide than it should have been. And perhaps this topic doesn't exactly follow the main thrust of the dev blog. Hopefully you'll agree that the initial rollout was rather calamitous, and that there are lessons to be learned from how it came to happen. I suppose the root of my question is: did you (as The Security Guy) determine how it came to happen? A simple "yes", "partially", or "no" response is all that I'm seeking. Well, that and the realization that if the answer is "no" that maybe you should go ask those questions.
On a completely tangential topic, I've seen recent discussions on the petition queues, and how the security-related (non-exploit) petitions take a substantially larger share of :effort: to disposition. I also recall that the 2010 FanFest goodie bag included an authenticator (a la RSA SecureId fob). It seems to me that allowing, perhaps even mandating, the use of those fobs for login would dramatically reduce the incidence of the "hacked account" security petitions. Would you please add "login security" to the list of topics for you to cover in the next dev blog you write (hopefully SoonGäó)?
Thanks for your time.
MDD |
|
CCP Sreegs
C C P
C C P Alliance
102
|
Posted - 2011.09.22 23:21:00 -
[50] - Quote
Yeah sorry dude, but framing a question in such a way that there's no good, or even honest answer isn't really going to get you the rosiest of replies on my best day. :)
The answer is that yes we did determine how we could improve the process and the process today is different from what it was then. The process today is what I'm describing. I think I went over some of the changes as well during a presentation at EVE Vegas which I think is being hosted by EVE Radio somewhere if you're curious. We knew what the issue was within an hour or two of it occurring, figuring out what needed to change in order to prevent that didn't really require a great deal. My shoe is on backwards how to I prevent? Put it on the right way.
Regarding the two factor tokens, let's just say I'm looking forward wholeheartedly to the day where I can say when they'll be deployed. :) |
|
|
|
buck herrick
101st Space Marine Force
Nulli Secunda
0
|
Posted - 2011.09.23 00:05:00 -
[51] - Quote
i am liking this sreegs more and more (although his singing is terrible and i dont beleive that the recent hazing will help)
he posts and the actually reads responses to said post and then he even replies to said post.
this is a step forward, please ensure that we are able to have a new petition category where we can request all CCP'ers to act in this fashion. our security may depend on it.
|
T'Laar Bok
24
|
Posted - 2011.09.23 04:23:00 -
[52] - Quote
CCP Sreegs wrote:incentivizing
I cant decide if you got that from The Buzzword Dictionary or The Dictionary of Corporate Bullsh!t.
Both available on Amazon if anyone is interested.
Amphetimines are your friend. |
T'Laar Bok
24
|
Posted - 2011.09.23 04:23:00 -
[53] - Quote
Double post
Amphetimines are your friend. |
|
CCP Sreegs
C C P
C C P Alliance
106
|
Posted - 2011.09.23 11:45:00 -
[54] - Quote
T'Laar Bok wrote:CCP Sreegs wrote:incentivizing I cant decide if you got that from The Buzzword Dictionary or The Dictionary of Corporate Bullsh!t. Both available on Amazon if anyone is interested.
It means to give incentive. Hope that helps. |
|
mazzilliu
Sniggerdly
Pandemic Legion
0
|
Posted - 2011.09.23 15:18:00 -
[55] - Quote
Although a 15$ plex isn't a whole lot of incentive to put forth the unknown number of hours necessary to find an undiscovered vulnerability, it is rather fun and there aren't a whole lot of opportunities for sanctioned hacking against a company's resources.
sreegs, does this bounty also apply to the whitewolf and dust websites, that are also hosted on the same IP as eveonline.com? |
Internet Knight
The Kobayashi Maru
RONA Directorate
2
|
Posted - 2011.09.24 01:15:00 -
[56] - Quote
Report one significant issue: how much time was invested by the player in researching the exploit? How much time was invested in internal research to verify the exploit? If released publicly, how much damage could have been caused? Math: (Invested time * damage multiplier) / 20% fairness = reward in PLEX rounded up
Report multiple issues: offer them a job because clearly it's better to have them on NDA than not. |
mazzilliu
Sniggerdly
Pandemic Legion
0
|
Posted - 2011.09.24 01:31:00 -
[57] - Quote
Internet Knight wrote:Report one significant issue: how much time was invested by the player in researching the exploit? How much time was invested in internal research to verify the exploit? If released publicly, how much damage could have been caused? Math: (Invested time * damage multiplier) / 20% fairness = reward in PLEX rounded up
this is ultimately what it will boil down to if you want people investing serious time into this. the sort of person with the skills necessary makes much more than 15$(one plex) in a single hour of work, and assuming that all the obvious security holes detectable by vulnerability scanners are gone, we're talking multiple hours of effort going into this to produce one security hole. So one plex does not even factor in the amount of incentive there is.
the only real remaining incentives, are name recognition, and "we won't sue you". which can be significant for some people. but time will tell if it's enough to produce a decent crop of vulnerabilities. if CCP were paying market rates for this sort of work we would be seeing a year's worth of plex or more instead, which might motivate people who are less than 90000% enthusiastic about putting ' and < in every single url and text box, and figuring out ******** input filters and stuff like that.
Mozilla is paying up to 3 grand, chrome paying even more than that. To scale it down to an organization CCP's size, 1 or 2 hundred sounds reasonable. And it's not even cash. the only thing the plex actually costs ccp is potential lost revenue. |
Garia666
T.H.U.G L.I.F.E
Xenon-Empire
1
|
Posted - 2011.09.24 20:50:00 -
[58] - Quote
Here is a free tip never have multiple accounts on 1 email. You can be banned for no apperent reason. So when you have change it asap |
Knalldari Testpilot
State War Academy
Caldari State
0
|
Posted - 2011.09.25 15:13:00 -
[59] - Quote
Asking the EVE community for help in fixing security issues after banning Helicity Bonson for doing exact this could only be some kind of a hilarious troll.
You guys have some strange humor... 
//off topic
The new forum is less useful/handy/effective than the old one. |
|
CCP Sreegs
C C P
C C P Alliance
106
|
Posted - 2011.09.26 16:20:00 -
[60] - Quote
Knalldari Testpilot wrote:Asking the EVE community for help in fixing security issues after banning Helicity Bonson for doing exact this could only be some kind of a hilarious troll. You guys have some strange humor... //off topic The new forum is less useful/handy/effective than the old one.
Can you please let me know what part of "We've never banned anyone for reporting a security issue" was unclear? I can't speak to the specifics of any user you might be referring to as we don't publically discuss administrative actions as a matter of policy, but I can categorically define your post as patently false and ask you to refrain from spreading such falsehoods on this forum as it can be detrimental to what we're trying to do, which is encourage people to participate. |
|
|
|
|
|
| |
|
| Pages: 1 [2] 3 :: one page |
| First page | Previous page | Next page | Last page |