Response to code safety review discussion

Yes and no. If businesses have fake cameras, they basically bought themselves a lawsuit.
Roblox isn’t as likely to have this; however, this does not mean they aren’t at risk.

From what I can tell, yes, you are right, except for that the moderators, if they see suspicious activity in game, will then look into the code. Here are some hypothetical example for the game getting taken down:

Example 1 - Scam game

  1. Mods receive a flag for free Robux.
  2. They go in game and receive a “free Robux” prompt.
  3. Since there is suspicious activity in game, they check the code to make sure that it was the developer (could’ve been an exploiter, or in some other way not the developer’s fault).
  4. They find the free Robux code, and confirm the developer’s guilt.
  5. The game gets taken down.

Example 2 - Custom chat filter for “free Robux”

  1. Mods receive a flag for free Robux.
  2. They go in game, and no suspicious activity happens (the custom chat filter was working behind the scenes, keeping users safe).
  3. Nothing happens, since there was nothing wrong in game.

Example 3 - Exploiter creating inappropriate content

  1. Mods receive the same flag for the free Robux chat filter in Example 2.
  2. When they join, there’s an exploiter creating inappropriate content.
  3. To make sure that this wasn’t the developer’s doing, they inspect in game code.
  4. They find nothing in the code to suggest the developer is at fault.
  5. The game is left alone, since although the exploiter was an issue, it was not the developer’s fault, since the developer’s innocence has been backed up by the code.

All three were flagged for the same reason. However, Example 1 was a legitimate danger for account safety, Example 2 was a false positive, and Example 3 was a false positive, but with the coincidence of some fishy activity in game unrelated to the developer.

Note: this is all from my understanding of how the system works and may not be entirely correct.

9 Likes

@incapaxx @Conejin_Alt Keep your ridiculous arguing out of here.
You can’t completely trust these “specially trained” staff members if you don’t know who they are.

However, it’s completely exaggerated to think that every single one of them decides to go rogue, take information that means almost nothing, get it past the rest of Roblox staff, AND share it.

At most, only one member would try. Even then, that’s unlikely.

4 Likes

I disagree with the whole situation, but people need to stop freaking out over privacy too much.

If something is flagged it’s most likely the code won’t even be read.

1 Like

While you do have a point in saying that not everyone in the “specially trained” team is evil, that does not mean that a security flaw is excusable. It’s wrong to say everyone is out to steal your code, however it is foolish to not prepare for that scenario. In exploit detection the main rule is to never trust the client and treat anyone as though they have malicious intent, I think the same rule should be applied here.

4 Likes

Personally I don’t see why an engineer would risk his reputation and his salary to go and sell some random user’s code. Especially since the majority of code is case-specific, and if there was some cool module, I’m sure the engineers looking at the code are well able to code the same thing themselves.

You’re forgetting that these aren’t just some random volunteers. They are trained engineers who have spent many years working and learning to get to a point where they are hired by Roblox. They work in silicon valley in San Francisco, all the salaries at tech companies there are very high. To sell some user’s code or an API key wouldn’t even pay for a few day’s rent in the area. Not only that, but they would get caught, fired, and have trouble finding another job.

This is Roblox’s platform and they have to abide by certain regulations (COPPA, etc). They are perfectly within their rights and obligations to scan content made or uploaded to the site.
I’m glad that Roblox has this automated system in place to catch inappropriate/illegal content before it is ever seen by anyone. I’m also glad that it doesn’t automatically ban people but rather goes through manual review first. If anyone has a better idea to this which is more efficient and won’t accidentally ban people and doesn’t require thousands of moderators then I’m sure there are many companies besides Roblox who would love to hear it.

I may sound a bit too to-the-point, but I think some people are making a big deal out of something that is actually helping them. And there have been some workarounds discussed to some of the problems anyway. Rather than dissing a feature which helps you and keeps your players safe, you should go to the appropriate feature request post or make a new feature request for something which will solve any issues you may have. Example: SecretService - A service for securely storing application secrets

6 Likes

Correct. My reply, however, was intended to un-exaggerate what many people say.

1 Like

This is a start, but it does not answer my main concerns and seems to downplay our privacy concerns.

No matter what, having anyone besides my team read the games code puts the project, and websites I have secrets for, at risk.

  • If it is possible for my code to be reviewed, I have to assume it will be. And from what I’ve seen there is no reasonable mechanism in place to protect secrets. Data stores are not a reasonable means to protect secrets (it is a hack to use it to store secret code and no assurance is given to the security of the service for keys). A proposal being available does not change this, it’s not implemented.

Does this only apply when the game is saved online or does this apply to all games?

  • This does not tell me if my private games can be reviewed.

I’ve since quit Roblox (only visiting occasionally looking for a response like this), which I feel is important context to my response.

1 Like

imo I don’t see much discussion being encouraged in the OP, I just see the OP as a dump of information. And most points were never addressed.

2 Likes

It specifically states it only targets code that are malicious in nature.

For example, the countless backdoor scripts from plugins.

I for one welcome this change.

1 Like

Can’t you just understand? We don’t want this!
How has this effected anyone? I can’t name anything.
There may be some cases where this can be done but our player base can’t determine whether content inside the game isn’t appropriate.
I don’t want some random person looking at my code and I will have no choice but to use one of those script protection services so none of these people can read my code! I don’t trust them!

2 Likes

I completely support the intentions behind this update for open-source code. What I don’t like is how it affects closed-source scripts that aren’t for sale or anything (eg. “main” scripts for a game that is not uncopylocked). The worst thing a closed-source game script can do is break the Roblox ToS, and these games have been caught countless times prior to this update. I also dislike that Roblox has given no clarification on the “specially-trained team” that are supposedly reading our code.

For open source scripts, this update is amazing and it will help out a lot of devs make sure that content they use in their game is not causing vulnerabilities in their games without their consent. I dislike the use of this system to moderate closed-source scripts, however, and I dislike the lack of reasoning Roblox gave when asked about closed-source script moderation.

4 Likes

Roblox unfortunately has a case of creating good updates once a century. The rest are either terrible updates or updates that hardly affect anything. Who’s idea was it to remove the game categories search feature? Who came up with the bright idea of thinking it would be 100% fine to just look at our code, including API keys for things such as spreadsheets. This is a terrible idea, and not many people are supporting this update at all. Take a good look at the disagreement on this post that has over 136 comments, along with the original post that has 1000. This website in reality should be a partnership, not a one way dictatorship of owner to developer. Just know that if Roblox were to lose many of its creators it would fail horribly. Without developers, there’s no players. Without players there is no Roblox. This doesn’t seem like “empowering” the creators WHATSOEVER.

6 Likes

Don’t do anything wrong and they won’t look at your code. Simple as that. Also they’ve created tons of great updates recently. I don’t know where you’ve been. They’ve had FiB 2.5, Game Permissions. Unified Marketplace Fee, they’re getting a new Dragger, new Asset Manager, they have Configure Group and Configure Item on mobile now, and they’ve tripled Premium Payouts.

1 Like

Malicious and harmful code gets put into games all the time, often without the developer’s knowledge. Most of the time, the code gets put in unintentionally, often by free models and plugins. If Roblox is looking to flag malicius code, theres going to be many people banned simply because they had a model or plugin that was malicious. Moderators are unlikely to check where the script came from, and what it’s used for.

Roblox once made a game under review simply because of an inappropriate model name. What’s to say that Roblox won’t do the same with code?

Example: https://devforum.roblox.com/t/inappropriate-model-names-can-get-your-games-placed-under-review/448299

3 Likes

Who would make threats to others in code? There are many better places to do it, such as Discord, social media or IRL. Code isn’t a way of communication.

There are other places to hide stolen information besides code, such as PDF documents, notepads, etc. If you’re going to scan people’s code for this reason, there’s no point in it.

2 Likes

They’d probably review the model in question, and punish the creator of said model, and not the owner of the game.

Also to answer your concern about model names. It’s probably due to the fact that model names can be shown if someone were to have a humanoid. Where as code is not viewed as easily on the server.

As I’ve said before to others. If you don’t want your code reviewed. Don’t do anything bad.

That certainly reduces the chance of you being moderated for code review. But you could still be moderated if you didn’t do anything bad. In fact, you can get moderated for doing something good. One developer got terminated for using a custom chat filter on top of the Roblox one despite Roblox allowing and encouraging developers to use an extra chat filter.

The developer who got banned for using a custom chat filter was likely banned because of swear words in code. The script was meant to filter out words like “free robux” and “F word” that didn’t get filtered by Roblox’s filter. But to make a filter like that, the filtered words would have to be in the script. The moderator who checked his code likely didn’t check what the script was used for and didn’t give his code a second look.

3 Likes

That’s incorrect. Roblox does create many good updates, it’s just when they drop bad/controversial updates they’re much worse than the good updates are good. Part of it is communication, part of it is the actual update itself.

4 Likes

That developer got unbanned. Months ago, i got a copy of MeepCity, not for stealing code purposes, just to learn how to script in an advanced way, well, MeepCity has a table with some inappropriated words that Roblox didn’t filter, guess what, I saved the game in Roblox, and I didn’t get a warning or ban. Maybe because it was privated… But I didn’t get any message for inappropriated stuff. Well, the point here is that the developer you mentioned is unbanned :slight_smile:

1 Like