Security Tester for Hire

Who am I?

Hey there!

I’m unix_system - I am a 6 year scripting veteran with experience in the area of Game Security Practices.
I am offering to help with any FE upgrading or post-FE security advice.
I have experience in:

  • Lua (6+ Years)
  • Node.js (2+ Years)
  • Visual Basic (2 Years)
  • Basic Working knowledge of C#, C++, and Java

I have worked on a number of games as well! I can provide a full portfolio on request.

I also hold an A* Certificate in OCR/J275 Computer Science (GCSE) and taking an MTA Exam (98-365) to recieve an MTA Certification.

Why might you need a security tester?

Security is a key aspect of your games, FE or not. If an exploit script goes around for your game, it can have devastating consequences on your revenue and game integrity. People will not play games which are exploited constantly!

Security Testers are a required role in your game because they give a different insight into ways of breaking your game. They find and responsibly disclose any loopholes they find and allow you to stop worrying about crude Anti-Exploit countermeasures.

What do I do?

I can work with a variety of working scenarios. I can normally however work with any one of these:

  • A layout of your Remote Instances API
    Example of what I’d need:

     ReplicatedStorage:WaitForChild('GrantNetworkOwnership'):FireServer(workspace.Part,LocalPlayer) 
     --Takes an Instance part and a player and grants network ownership to that player. Nothing returned
    

    (I’d expect a list of this for every event / function - I can provide preliminary feedback on what may need to be examined further)

  • Client Code and / or Server Code snippets of areas that you want examined - feel free to remove anything you wish as long as it isn’t relevant to the area you want examined.

  • Ideally, Place access would be the best way to go. This means I can do a full security test and actually simulate the attacks myself.

If you aren’t comfortable with letting me know areas of your code - that’s fine by me. I am willing to sign a Non-Disclosure Agreement (in fact, I have one prepared if anyone wants me to sign) if you have worries as well :slight_smile:

I’m interested - what next? (Pricing? Time Scales?)

If you want your game to be security tested, I have a variety of pricing schemes that I will go under.
Normally, if you want a simple security check, I’ll consider doing it for free.

If you want me to help with upgrading to Filtering Enabled, the price is more flexible. Depending on how much work there is (considering this isn’t my only commitment and more of a public service I’m offering) I can do it from around 5$ / 5,000 R$

The time scale is really flexible too. If you need it urgently, I can try bumping it up on my schedule. Otherwise, expect me to keep working, however I’ll discuss the exact time scale with you at the time.

DISCLAIMER: I do not go around games and exploit them. If you want me to test a theory I propose, you’ll need to replicate it yourself or let me run code in a test place of the game

To contact me, just shoot me a DM at unix_system#8061 or message me on the DevForums

Thanks for reading!

9 Likes

This should be fun :eyes:

Why would you need to know where everything is tho. Exploiters do that themselves …

1 Like

Because if you don’t want to give me access to the place or scripts, I can’t do much without it :stuck_out_tongue:

As stated in the bold disclaimer, I’m not going to use exploits or the sorts to maliciously break your live game. I’m a security tester / adviser, not an ‘ethical’ hacker

1 Like

I know it’s just example code but my eye caught something and I couldn’t leave it alone.

You do realize the client is passed as the first argument automatically when FireServer is called, right?

-- In LocalScript
ReplicatedStorage:WaitForChild("GrantNetworkOwnership"):FireServer(workspace.NetPart)

-- In server script
ReplicatedStorage:WaitForChild("GrantNetworkOwnership").OnServerEvent(function (client, otherArgsPastHere) end)

Passing LocalPlayer would be redundant as it is automatically passed.

1 Like

Yeah - I added this for that exact reason. The idea is that it’s insecure because it allows the user to specify which client to grant network ownership to.

1 Like

Oh, your idea was to point out that it’s incorrect to pass the client as an argument and to use the auto-passed argument instead. I think I missed out on the context there.

2 Likes

Yeah. This code is actually identical to one of the games I have reviewed before a while back which is why I included it :laughing:

2 Likes