It only standards to reason that if can exploit is publicly available (which the case above is), and is usable in any game (which the case above appears to be), then it should be tagged before it reaches critical mass.
If this is not patched, then it’s only a question of time until the exploit is used against an overwhelming majority of games.
I don’t disagree that it’s important and high priority, but I really don’t think it’s worth distracting engineers by making it equal to the entirety of Roblox being unplayable.
Yes it’s a matter of time before more people use it, but like I say, I see it as the difference between dragging you out of bed at 3am versus putting it at the top of the pile on your desk at 8am. The former is ROBLOXCRITICAL, the latter is just a high priority issue.
That’s why I’m suggesting a secondary tag as a more appropriate solution. ROBLOXCRITICAL is when it reaches critical mass - another tag, maybe ROBLOXEXPLOIT or whatever is “hey, this might get to critical mass, but it’s not there yet”.
I agree stuff needs preventing from reaching the critical status, but some stuff may still get there and should take priority over things that haven’t yet. You lose that priority if, regardless of size, it’s all counted as critical. I agree these topics should receive attention, just not necessarily via the method you’ve proposed.
But, to be honest, your suggestion goes beyond just a change of policy on devforum, you’re actually suggesting that Roblox engineers change what they internally classify as critical versus just high priority, so maybe Forum Feedback isn’t the best place for the engineers to see your suggestion for their internal workings. Not sure what other category it could go into though at the moment.
FYI, ROBLOXCRITICAL is not meant for “this is an important issue that should be solved”, it is meant to denote “this is a P0 issue that should receive immediate attention, wake up all involved engineers, do not stop working until it is fixed”. This is typically reserved for large-scale service outages and data/payment corruption.
If your motivation for wanting this is that you want a staff response, there are better ways to do this. Most importantly, give your topic a clear title, follow the bug reporting format but be succinct, include a repro, and clearly denote the criticality of the issue. A magic tag that anyone can use doesn’t scale and is bound to be ignored in the long-term if we let people use it more freely.
Well then if this isn’t ROBLOXCRITICAL then what is it? Is it going to take days to fix? I think we would all be pleased if we just got a response telling us that it is being looked into. We shouldn’t as a community have to try to create fixes for exploits that are due to a fault in the engine.
I also personally think ROBLOX does not care about exploiters as much as it should. ROBLOX has always been an attraction to exploiters and scammers because of how easy it is. People create exploit programs for ROBLOX which bring them tens of thousands of dollars per year, and it doesn’t seem like they’re being stopped by anything.
Okay, say trying to secure the engine as much as possible from exploiters is much more complicated to stop than we realise, then why can’t legal action be taken against them or players be completely terminated without warning?
Plenty of exploiters exploit on main accounts because they know that nothing really will happen to them. I don’t understand how ROBLOX allows sites like WeAreDevs to just laugh at them how they do.
I personally think that exploiters should just be treated with much harsher punishments in general, such as terminating all accounts and restricting them from coming back for repeat offenders.
It’s meant to be rarely used. Only for bugs that need to be immediately fixed without delay. This one looks like it can wait a few days and Roblox won’t burn down or anything like that.
If the entire website/games are down, then Roblox will burn down if nothing is done, so those are robloxcritical. Those are the issues that need to have the tag. Not every issue that is “important”.
Nobody is saying this issue is not important, but the critical tag has clear guidelines and the linked bug simply does not meet those guidelines. It’s really as simple as that.
If you think “ROBLOXCRITICAL = we’ll get a staff response”, you are sorely mistaken about the purpose of the tag and you should read the guidelines above again. If you want a response, then you should file a proper bug report to make it easy for them to look into the issue and respond to you.
I’m well aware of the important meaning behind ROBLOXCRITICAL; moreover, your post begs the question:
Would you prefer being woken up now, an hour or two before the issue reaches critical mass, or in three hours when the front page can best be described as an empty desert?
I for one would sleep better at night knowing that we can raise issues to ROBLOXCRITICAL when we can clearly see are going to hit a substantial majority of games before they do so, and get them fixed before they manage to impact losses on our playerbase.
That’s something Roblox engineers can plan out, we shouldn’t plan for them, we should only use the tag when it objectively meets the requirements. We shouldn’t speculate ahead.
Roblox engineers see all bug reports regardless of whether it has the critical tag.
Conducting such a thing is likely not worth it: You need to know who they are, where they live, etc. and you still need to collect evidence that a jury can admit into court - all at a no guarantee of winning - the hassle of taking legal action is simply way greater than the potential reward.
They will always find a way around (Alternates, VPNs) - not to mention the impact of false positives.
Then again, as long as the accounts represent no value to their owners, this has a tendency to be unenforceable.
Now, about the topic itself:
I don’t think it’s worth it to validate this kind of topics as ROBLOXCRITICAL - not because it is not urgent (on the contrary, it is) - but because (unfortunately), depending on the issue, it might still take more than a couple hours to get a fix done. I think that in this cases, being able to ping @Exploit_Reports might come off as a better idea.
Yes, we should only use a tag when it meets the requirements. That’s why I’m advocating changing said requirements.
ROBLOXCRITICAL is a tool, to be used strictly when a situation requires not only immediate attention, but a rapid response to prevent further impact in the platform. The point is that we need the ability not just to notify Roblox engineers when we are experiencing massive player losses, but before we do so.
Roblox certainly cares a lot about addressing exploiters, but this isn’t as easy as some people make it out to be. We’ve come a very long way as a platform since the times of non-Filtering Enabled.
That being said, squashing people sharing exploits on the internet is hardly a solution. The fact is, they will keep popping up as long as they are able to exist from a technical standpoint. The broader solution lies in long-term planning to create a more secure development platform.
"I don’t think it’s worth distracting engineers by making it equal to the entirety of Roblox being unplayable.
You are right.
However, this IS making some games unplayable.
People like targeting specific games, and we can’t do anything about it.
ROBLOXCRITICAL should definitely be warranted in situations where unpatchble exploits are crashing servers.
The fact that it can’t be classed as critical until someone pulls it off on a larger scale is inviting exactly that to happen. It’s a backwards way of triaging issues because they’re (in a way) encouraging it to have a wider effect on the platform before they’ll give it any special attention.
Even if “ROBLOXCRITICAL” is not the correct tag, there should be some additional triage that means this is dealt with as an extremely severe and time sensitive issue, with some appreciation for the pain and loss of revenue this is going to cause developers if it isn’t identified and patched.
This definitely needs addressing ASAP, i’ve had to close my game to group only because of this and it’s only going to spread in the coming hours as word goes around about the exploit.
As for whether this is worth ROBLOXCRITICAL being changed, i’m not sure. I think the issue is moreso communication related than anything else, and some sort of pinned acknowledgement that Roblox engineers are aware of this issue would be more helpful. Then again - isn’t that what ROBLOXCRITIAL accomplishes anyway?
The group @Exploit_Reports exists for reporting exploits. Exploits are not meant to be reported anyways, at least not with reproduction steps.
Though I do agree that there is some grey area and there are some things that should be considered robloxcritical but can’t be because we need to be bound to the definition of robloxcritical.
For instance what if all premium subscriptions randomly cancelled and all robux got wiped due to roblox error? There is nothing even close to the example scenario and thus can’t be posted. The guidelines are too specific and should be generalized a little more.
It does not crash or throw fatal errors, it does not halt all meaningful functionality in Studio or in game or on the website.
It does not cause player data loss through data stores nor purchase failures.
It does not prevent successful connections to games.
The user didn’t report an exploit, they reported that their game was being crashed. They had no idea why that was until knowledgable users in the field contributed to the discussion.
The fact that this was a new exploit, with devastating effects, could be used in any game, and has the potential to become widespread, all seem to say that it is ROBLOXCRITICAL to me.
It has the capability to hit a “significant amount of players / games”
Agreed. ROBLOXCRITICAL is a tag that is used for essentially when Roblox is unplayable or a major service is down. An exploit like this was making Roblox unplayable at a growing rate. The more exploiters who saw the post with how to execute it, the more unplayable Roblox got. This is something I’d definitely classify as ROBLOXCRITICAL.
Yes, it is not critical cause it does not currently affect most games, well obviously a game like adopt me with over 500,000 players isn’t going to be affected by someone shutting down a few of their servers. But games with smaller player bases are suffering. I’m not too bothered about my test server as it is just a test server, but it usually has around 70 players and recently it isn’t surpassing 15 because of this shutdown exploit. Sure, this isn’t ROBLOXCRITICAL but something needs to be done pretty quickly.
Exploiters can’t be easily dealt with but they’re not harshly treated enough by moderation in my opinion.