New express exploit reporting feature and L$ bounty

Update: I’ve updated this post with new rules and more clarification of the rules. Old rules are struck out, with the additions in italics. Rules that stay the same are unaffected. Please see this post for a complete update on how the exploit reporting feature is working out.

We take exploits very seriously and to prove it, we’ve added an Exploit category to the in-world bug reporter in Wednesday’s (August 2, 2006) release. When you are pretty sure the bug you have encountered is an exploit just report the bug normally in the viewer (Help > Report Bug) and choose the category Exploit to have such bugs shuffled up in the priority queue and brought to our immediate attention. How immediate? It’ll go to my email, which happens to go to my phone! You should get a response quickly, even during non-business hours.*

To further prove our dedication to exploit exorcism, we’re offering a limited-time exploit bounty of L$ 10,000 to the resident who first reports an exploit via the inworld bug reporter and tags it as an exploit.

At least one of the following criteria must be met to get the loot:

  • The bug allows unauthorized access to scripts or other assets
  • The bug allows unauthorized copying, transferring or modifying of object that you do not have the rights to (permissions bugs)
  • The bug allows others to remove, return, destroy or alter inworld content they do not own nor have modify rights to (either by a group or a friendship modify grant)
  • The bug can be used to steal or create Linden Dollars (L$).
  • The bug could potentially cause a compromise of the grid or resident privacy

In addition all of the following must be met:

  1. The reproduction case must be clear and immediately reproducible. You must provide steps I can follow at o’dark hundred in the morning, SLT. Blank bugs will be deleted, cursed and and may get your avatar reverted to Ruth at my discretion.
  2. You must not post the exploit to the forums, distribute notecards with the repro case or otherwise publicize the exploit.
  3. You must not use the exploit for personal gain.
  4. Only the first resident to report a specific exploit with a clear and reproducible reproduction case will receive the bounty.

This offer is valid from August 2, 2006 until September 30, 2006**. One bounty per resident, not one bounty per exploit. In the case that multiple residents report the same exploit the first one who reported it with a clear and reproducible repro will get the green. Please note that this is not a hotline to Linden. It should not be abused or used for anything other than exploits. These reports will wake me up in the middle of the night, causing me to get out of bed, trip over my laptop, curse the person who woke me up and start repro’ing your bug — all without coffee, contact lenses or daylight! Bug reports that are clearly not exploit reports will not only be ignored*** but could also get you added to a no-email list. Abuse of the system could also garner abuse team action (harassing Lindens in the middle of the night counts as abuse). Please keep this in mind when you try to slip a regular old run-of-the-mill bug under the radar!

We hope this helps prove our commitment to stopping exploits. We ask in return that you do not post exploits to the forums, Linden blogs or talk about them inworld.

*Actual developer response time and fix deployment will vary.
** Please see this post for clarification as to what an exploit is and is not.
*** Crying wolf will get you removed from my holiday card list, your bug will be deleted and you will be asked to enter the bug again using the conventional options.

This entry was posted in Bugs & Fixes, Quality Assurance. Bookmark the permalink.

45 Responses to New express exploit reporting feature and L$ bounty

  1. Sansarya says:

    Hurrah! Great first blog post πŸ˜€

  2. Ice Brodie says:

    Eek, try not to injur yourself when dealing with exploits Brent. o.o

    Sounds like a good plan, forum posts lead to hastles, and these should be patched as soon as they’re found. I like this idea.

  3. Oz Spade says:

    Wow, now that is dedication. You should have had the email get sent to one of your clones cell phones! πŸ˜›

    Very cool of you to do.

  4. Now I know how to contact you when I need companionship.

  5. Paul Llewelyn says:

    Ok I think you need to add that the reporter cannot have run amok using the exploit they reported for personal gain prior to, during or after reporting it.

    I can see an enterprising hooligan doing exactly this.

  6. Jeffrey Gomez says:

    Y’know, I was talking about something like this. Cookie for you, sir!

  7. Very Cool,

    One question, is there some type of warning/explanation in the bug report tool about this? Because the average resident will not read this blog. Offcourse, i think bug reporters mostly aren’t the average users, but it would be sad if you get waked up at multiple nights and have to send hte abuse team on someone, just because they do not know it is the Brent Linden hotline.

    Otherwise, very cool.

  8. Michi Lumin says:

    I just wanna know how to get on Brent’s holiday card list in the first place. I hear there’s some racy stuff that goes around.

  9. Brent Linden says:

    If I see anyone send a “FIRST POST … er, EXPLOIT! WOO!” bug report in I’ll disable every one of their scripts personally πŸ˜€

    Frans, we contemplated such a warning but didn’t want to scare residents with the bug reporting tool. There is some language at the bottom of the bug report window that explains what to do if you have found an exploit. If it is insufficient (read: Brent gets a blank bug report at 4 am marked Exploit) we’ll add more protection layers. Something I was toying with was only sending the email if the user has payment info on file. That way folks using anonymous accounts won’t be able to disturb my counting of bugs as they jump a fence.

  10. Malarthi Behemoth says:

    Sounds like a great step in the right direction Brent! Two thumbs way up for implimenting this both as a way to patch security holes and to show your dedication to making SL better!

  11. cinda Hoodoo says:

    YAY! you heard us!!!!! wonderful news, thank you Brent for um “volunteering”to be up at unspeakable hours..this could just work, im so excited…thanks..thanks..thanks!!!

  12. CrazyMonkey Feaver says:

    Awesome πŸ™‚

    Only thing I worry about is..
    Now you may be able to partake in the joy of griefers the worst way possible, lol..
    — I hope not, It’s otherwise very cool..

    Now we just need someone to edit the real WIKI to add you name under the definition of “dedication” πŸ˜€

  13. Draco18s Majestic says:

    Bug Report: Exploit
    Subject: FIRST PO … er, EXPLOIT! WOOT! ^..^
    Details:
    Uh…. *looks around* Yes, first exploit is mine!

    (Yes, I had to)

  14. Pingback: eightbar » Blog Archive » Linden Labs now have a consolidated blog and new exploit reporting process

  15. >> # You must not post the exploit to the forums, distribute notecards with the repro case or otherwise publicize the exploit.

    Does this mean Linden Lab will continue its new policy of “suspend users for 3 days for warning people, even if they do not specifically detail what the exploit is”?

  16. Wendel Gascoigne says:

    I think this is a good solution. It gives SL users as near a direct line to a Linden to report exploits and make sure they are looked at post haste.

    If the Lindens find the exploit to be high risk enough, they can decide to warn the users and even bring down the grid.

    It’s certainly much better than people posting about exploits on the forum.

    Here is hoping that the system works well and that exploits die a swift death once found.

    Wendel

  17. Ricky Zamboni says:

    Are you really “proving your dedication to exploit exorcism” when the bounty you’re paying costs you absolutely nothing to provide? If L$ “have no value”, aren’t you really saying that you don’t place any value on your users’ exploit reports?

    If you really want to prove yourselves, then offer *real* cash for any verified bugs (like Donald Knuth does for anyone who can find a bug in TeX). Paying out with database bits you can generate instently and arbitrarily isn’t terribly impressive.

  18. Galadriel Gremminger says:

    Great Idea, many places one can actualy find exploits within the system if not even ones outside of it “Texture Stealers”. If this can lead to a much more happier life for everyone on sl (hey, I might be an SL furry that don’t mean I’m biased agginst anyone else) now with knowing that this kinda stuff is around maybe.. just maybe we can finaly see a sorta peaceful life in second life (Griefers are allways a pain but it’s one I learned to deal with as a Furry)

  19. Stroker Serpentine says:

    I am curious as to what will be done about the content that has ALREADY been exploited/lost because of bugs and/or exploits. Just kiss it goodbye? How about some responsibility along those lines?

  20. Jr Breed says:

    Great blog. Simple enough that a 3 year old could understand. Ill be sure to pass this info off time my friends in-world. Awsome dedication!

  21. Lara Han says:

    I know it is just an idea but it is not fair to exclude bug reports to residents that only have payment info on file. If you were to enact it I would not be able to send bug reports. Please take this into deep consideration.

  22. jefferey Heart says:

    Good idea, but why limit it time wise? This is an excellent method of doing QA testing and rewarding folks that do it as a full time gig in SL. Certainly cheaper than paying a RL person to do it. I think they bounty is set just high enough to get some folks attention.

  23. Tank Fisher says:

    Brent Be careful but then again with each new release of Secondlife. There’s always potential “bugs” some exploitable some not. How ever there’ll probably be new exploitable bugs poping up in the new releases as they come avalable. As new features are added and others are taken away. I enjoy seeing someone that is as dedicated as you.

  24. Carro Levitt says:

    Good Idea.

    …But in the exploit hunting race and Linden hungy eyes, shouldnt u set a age limit for the Residents reporting this but til atleast Yesterdays date since ppl can sign up now pretty easy w/o payment info. If no restrictions here ppl just pop 2 chars and report 2 exploits. And u got a babyboom in SL in the name of making it exploit safe. Should make a clear statement on that 2, with 350k+ residents im sure atleast 10k of those would like to make a new avie just to get another 10kL or a shot at it.

    Not only aves you a world of hassle, also makes the exploit hunt serious from start.

  25. JayR Cela says:

    I think it ia a great Idea to enlist help from the serious SL comunity. In the 10 months I have lived and developed my Character, and have run across some rather disturbed individual’s that seem to get a thrill from throwing a wrench in the sproket’s so to speak. The prize money, is not important to me. This however does let me feel confident that the next time I run into an individual foolishly bragging about an exploit, I will be shure to copy the text, and forward it to Linden labs
    Thank You So Very Much : for re-establishing my confidence, in Linden Labs that they are truley looking out for the people whom take this game platform seriously

  26. Lucky Merit says:

    You’re funny. πŸ˜€

    Good luck with this project. I wish you great success, and few (or no) late night calls.

  27. Sildur says:

    “warning people, even if they do not specifically detail what the exploit isβ€? is like shouting “fire!” in the middle of a church without knowing about there is real fire or not.

    PS: I’m the subproduct of a hyper-nationalist culture – sorry for the bad english.

  28. Nardok Corrimal says:

    So wait, does that mean we can’t get the bounty if we don’t have a credit card on file with you..? That doesn’t really seem fair….
    (especially since I know of one already that I could report …. not that I particularly care about the bounty, but it would be a nice bit of breathing room? I’ll send it in anyways.)

  29. Brent Linden says:

    I’m not involved with any abuse stuff. The rules above apply to bounty eligibility.

  30. Azzura Supplee says:

    Good plan – just hope it doesnt spawn new hackers! Though its nice to have the residents searching these problems out – just hope you can keep up with the solutions as fast as the problems are reported! From past experience as a bug hunter in other games…the ratio of reported bug to actual fixed bugs is usually horrible and depressing.

    Rewards for exploit reporting is a great idea – maybe after Sept 30 – you can still reward people a bit – im sure even 1000 or 2000 would be incentive enough.

    Also an Idea here
    Like with the last exploit and residents locking their sim or land to protect themselves…..

    Maybe put an In Game option for land owners that they can toggle on or off that if you (The Exploit Team) are notified of an exploit that could ruin someones ingame life or mess it up terribly – that you could activate a system and anyone that opted for “Auto Exploit Lockdown” would have a blockade put up on their land so no one could mess with the owners property or get into it until the exploit is fixed or the owner wishes to reopen?? sound like a plan?

  31. Yleri Tokhes says:

    Nice ^-^ This sounds like a good addition.

  32. I hear the first bouny has been paid ! Woo!

  33. Sounds like a smart move in my oppinion..

  34. Brent Linden says:

    Azzura: We already have that option: Land banning and access restrictions.

  35. 1: Well, it’s a start anyway towards getting those whom refuse to be nice folks in RL or SL.It would seem this, and perhaps other, countermeasures are problematic at best. Only very experienced computer users, and residents would even recognize an exploit I think. Most would assume LL doesn’t know what hey’re doing. Being a Dreamland resident, I happened to overhear conversations of others to this effect. I stuck my 2cents in and informed these individuals that the “Lindens of Creation” were doing their best to make us mortals content. Response not intelligible. πŸ™‚

  36. Excellent. Never seen a more dedicated Linden :P. Just wondering how many people will ACTUALLY use this after the bounty is over :O

  37. Brent Linden says:

    When I mentioned possibly blocking the reports sent by those without payment information, I merely meant that we could block on that because this instant exploit reporting feature could be abused. After thinking more about it, a resident age limit does seem like the way to go. I will discuss it with development and see what can be done. Please note that any restriction placed will not affect your ability to report regular bugs. It merely won’t allow you to report bugs with the “Exploit” feature (or, if it does, it won’t flag them to be emailed to my phone at 3 am πŸ™‚

    Check out my update on how the new feature is working and some of the changes we’re making. Watch for further up-to-the-minute information in this blog!

  38. SuezanneC Baskerville says:

    I suppose the restrictions mean I should not file an exploit report for every occurrence of gray textures with white outlines. Darn.

  39. slothbear says:

    Using the β€œsecondlifeβ€? tag on a post in the Second Life Blog is kind of extra. It tends to obscure the Tag Cloud (where secondlife is currently the biggest tag).

  40. Zen Zeddmore says:

    * The bug can be used to steal or create Linden Dollars (L$).
    3. You must not use the exploit for personal gain.

    Could you please suggest appropriate protocal to legally and unoffensily comply with BOTH of the above?

  41. Pingback: Official Linden Blog » Blog Archive Grid temporarily closed to investigate permissions exploit «

  42. Seraphim Vixen says:

    actually even with the inconvience of not being on temporarily i’m glad u all r checking into these things as i myself am a creator and would not want such things to happen to my things so i applaud all of u in sl working so hard to protect all of us πŸ™‚

  43. Pingback: Trusted Worlds » Bug Bounties in Second Life

  44. biglietti says:

    luogo fine, sapete..

  45. Pingback: Official Linden Blog » Blog Archive Update: Exploit bounty rules and stuff «

Comments are closed.