As the topic says, I am wondering if it is legal according to Roblox Rules to invite exploiters to a security game test, and pay them robux/usd if they make a harmful bypass under the conditions that I am informed of the vulnerablity that they exploited to do so.
Do note that I am well aware of the vulnerabilities of the client and the complexities in securing it including the fact that it is impossible to completely secure the client, but I do also believe that making exploiting more difficult for the general exploiters is better than making the game fully vulnerable. I’m well experienced in that debate, I am simply wondering if this would be allowed according to roblox rules.
Basically the idea is to have security in my game that is constantly tested by a competent group of exploiters / white hats who will attempt to destroy the security everyday, the bounty is simply there to encourage people to try and break the anti exploit and by nature, the longer this goes on for, the better it is for the security. And it will easily filter out the 99% of common exploiters who knows only basic lua while they attempt to cheat in games, not to mention the ones who does not even know lua / understand client-server relationship.
UPDATE
I’m sure some of us are aware that big companies such as Microsoft does this to create a formidable security, as you can read here.
Now of course I am just an atom as compared to them, and we know Roblox themselves work closely with white hats to improve their security. Basically what I’m wondering is what are the rules on this for us developers, are we allowed to somewhat adopt and act upon this idea for our game securities as well?
And if it is not allowed towards random exploiters, are we allowed to do so with boss white hat owners? Because I do strongly believe that this is a very healthy method in handling security. Again, I am not saying that this is a MUST for all roblox developers, but for those of us who do care this much in regards to security, are we allowed to create and act upon this idea?
You’re basically talking about white hats (or something like that) and yes it’s still against the rules. You’re basically asking them to inject foreign code into the player to which is against the Roblox Terms of Service and paying for it might get you in trouble too.
In one way it may be legal (to make exploiters try to bypass a security system you have created this goes in some way good for roblox) but in other way it may be ilegal as well because you will pay them for their work since exploiting is ilegal on roblox. I won’t do it if I was you since you will have to communicate with exploiters of roblox also you may get banned for several days or even forever. I hope this reply helps.
It’s much safer (and cheaper) to just build your own exploit testing tools within your game. Figure out what the client can do (call any remotes, make any changes to the character, etc) and create tools that revolve around abusing those loopholes, and then try to block those tools from working.
Right I understand that but what confuses me is what’s the written rules on this? Is there a specific section in TOS that mentions against this? Because I do believe that the Boss White Hat was made based off a similar idea.
One of the fellow I know on Roblox by the name of EinsteinK have that hat and I do believe that hat means that they have used exploit and whatnot for good and thus compensated for it.
It’s basically under the “don’t exploit” rule. Those people with the hat are working closely with Roblox to patch up exploits that could be game damaging.
I am currently doing this, but I am also quite aware that there are many people out there who are far more knowledgable / creative than in finding/abusing vulnerablities and simply programming alone, if I could gather up those people and help create a far more healthier group to stress test the security, I figured it would help much more than using the same brain that created the anti exploit.
If you want to have people try to exploit your game legitimately without using real exploits, you can give them a little command bar that runs local Lua code.
Because you can’t use loadstring on clients, here’s a thing that will help you.
That being said, it will likely be more of a pain to use than a real exploit tool.
I support white-hat exploiting, a few of them have offered genuine help to me and my game in exchange for almost nothing, just gratitude. Though I don’t admit to using their help, I support it. They want to help make games better, it would be counter-intuitive to deny help. Especially on something so critical and discreet.
Roblox has no jurisdiction outside of their own site and domains. If you ask someone to do it i.e. via Discord, you have no real risk of being moderated for it.
Just like they can’t moderate you for doing Robux giveaways on Discord.
Anonymity is your greatest friend, and enemy on the internet.
I’m sure some of us are aware that big companies such as Microsoft does this to create a formidable security, as you can read here.
Now of course I am just an atom as compared to them, and we know Roblox themselves work closely with white hats to improve their security. Basically what I’m wondering is what are the rules on this for us developers, are we allowed to somewhat adopt and act upon this idea for our game securities as well?
And if it is not allowed towards random exploiters, are we allowed to do so with boss white hat owners? Because I do strongly believe that this is a very healthy method in handling security. Again, I am not saying that this is a MUST for all roblox developers, but for those of us who do care this much in regards to security, are we allowed to create and act upon this idea?
As for the legality of it all, well I’m not a lawyer so I am unsure. I imagine this would have to deal with your state’s law and the federal law. Unless you live outside of the U.S. then you are better off looking in your country’s legislature, not sure where that may be outside of my own country, the U.S.
I do know for a fact, however, that big companies like Facebook and Google hire white-hats to test their systems and databases and so on. But again, I don’t know if it’s legal.
Of course in theory they could moderate your account for suspected activity that breaks ToS or the law. But I haven’t heard of a case yet where someone’s activity on Discord has ever led to their moderation on Roblox.
@ForbiddenJ The unfortunate reality is that an actual exploit tool have much higher access and abilities as compared to a lua executor, even at it’s closest, the most I can provide is direct access to the game in team create and using the command bar but that is out of the question as I do not share the game with anyone except Zynneria and Bloxtun.
@lysandr Absolutely, us developers could easily stay anonymous and do this behind the scenes but I guess what I wish to know here is Roblox’s stance on this. If a roblox staff could provide a thorough stance on this topic I would highly appreciate it, also, absolutely love that quote btw haha
The level of access an exploit normally needs doesn’t seem to matter for anything except configuration files and CoreGui. They don’t necessarily need the CoreGui, and exploit scripts that do can be rewritten to use the local PlayerGui.
What I think does matter is how exploit scripts are used. If you’re hiring real exploiters, they’re probably going to use their Lua VM exploits anyway (like Synapse X), instead of whatever command bar thing you can provide. The exploits are full-fledged with script-writing, consoles, and who knows what else.
1 ) Use real Exploiters and Hackers by default
2 ) Encourage people to try and break the security for the bounty
3 ) Patch the vulnerablities as we go
4 ) By default, this will attract more knowledgable exploiters to come and break the security
5 ) By default, each bypass will make the security stronger than before
6 ) Be kept up to date with the tools/methods exploiters are using at all time
If I’m going to hire people to break into my house and compensate their success with money given the condition that they explain thoroughly how they did it, it simply isn’t a good idea to rob the tools they would usually use from them. Especially when the common robbers that actually have malicious intent use those tools to break into it.
And given the fact that the idea was based around using real exploiters and hackers, creating a custom executor for them is out of topic since one of the reason behind the concept is to also be kept up to date with the tools they are using, understand what they can and cannot do, the more you understand the other end of the spectrum, the easier it is to uphold yours.
There are a few cases of white/grey hat exploiters being somewhat employed by game developers to find flaws in their games. It’s definitely a grey area in whether it’s allowed to hire and/or pay a person to do such, so I’d definitely suggest steering clear of it until there’s an official statement regarding it.
I definitely support the idea and would be all for it. I believe having experienced exploiters trying to break your game is the best way to find flaws, because there’s always going to be something lurking somewhere you haven’t checked. It’d be a very complex process to determine who can be considered “qualified” for such a thing, so I don’t think it’s currently feasible, and sadly I don’t see anything like it happening in the near future as something somewhat officially/officially supported by Roblox.
Just to clarify (saw a post above regarding it), Boss White Hats are given out to people reporting all sorts of flaws with Roblox, it isn’t defined to one skill set (for example, web security). They do not immediately mean that the owner(s) of said hat are exploiters, merely that they have reported a flaw or vulnerability in the Roblox platform (website, client, studio etc.) and it was somewhat severe. It should not be considered a trust-all item under any circumstances in regards to a user, nor does it necessarily 100% point to experience and skill regarding various security skillsets. Every person is different and each person should be considered as such.
