Dealing with the discovery of an exploit in a MAJOR online casino's system

[arandomdude]

Hi.  Someone that I know has discovered a "bug" in one of the major casino's payout systems.  This person has been able to use this bug two times over a six month period which resulted in about $10k of payments, total.  That demonstrates that the exploit is repeatable and that it's been around for at least 6 months.  The reason that this person hasn't done it more often is because it is a very specific set of circumstances that must present themselves in order to exploit the bug.  While the circumstances may be very specific, they aren't necessarily rare and it would be safe to assume that the circumstances could be created more  frequently if one were to really try.  This bug also isn't caused by a certain game studio.  It is 100% a vulnerability in this casino's systems.

The person who discovered this would like to tell the casino, but also feels like they should be compensated for something like this.  It's pretty standard practice in many industries to pay people for discovering bugs or vulnerabilities in their processes or systems.  This person feels that this isn't any different.  If that person, who is a pretty small stakes gambler was able to take advantage of it, there's no telling how many more also have or will in the future. 

The person would like to be able to tell the casino about the bug, receive immunity from any penalties (financial or legal) related to the bug, fair compensation for the information.  

Does anyone have any helpful info for this person?  

Thanks.

[cocopop3011]

Hi and welcome to the forum. You know, we have had a similar topic to this in the past and I'm not sure we ever knew the final outcome. 

I think it would depend on how many times this person has exploited the bug. I of course agree to it being reported, but in regards to compensation, I suppose that will depend on how the casino sees the person telling them about it, and how much they have already earned from the bug?

[Afi4wins]

Everything man-made may have a bug or a loophole. Even crypto ewallets can be hacked, so can casino's payment systems.

Only a rare few people may ever know of what or where the bug lies, or how to take advantage of the bugs, but doing so may certainly be unlawful in the eyes of casino management team. The clause 'Malfunction voids all wins and pays' plays a part in this. A bug may be considered a malfunction. Report it and the casino may be very thankful to that person. Expect a nice big reward for reporting it? Quite unlikely! Use it to make money, get caught, then pay the penalty.

Cruel, unfair, but that's how things usually are.

[arandomdude]

5 hours ago, Afi4wins said:

Everything man-made may have a bug or a loophole. Even crypto ewallets can be hacked, so can casino's payment systems.

Only a rare few people may ever know of what or where the bug lies, or how to take advantage of the bugs, but doing so may certainly be unlawful in the eyes of casino management team. The clause 'Malfunction voids all wins and pays' plays a part in this. A bug may be considered a malfunction. Report it and the casino may be very thankful to that person. Expect a nice big reward for reporting it? Quite unlikely! Use it to make money, get caught, then pay the penalty.

Cruel, unfair, but that's how things usually are.

Thanks for your response.  "Bug" may not be the correct term.  There is zero manipulation of any of the casinos assets or any of the data exchanged between user account and casino.  No fraudulent deposits or anything like that.  It's a completely legal game mechanic that their software doesn't seem to know how to handle.  This is why it can't be exploited more often.  Any how, if the casino doesn't want to compensate a person for pointing out a vulnerability in their internal process that will ultimately cost them a lot of money (a very common practice in most industries), that's their decision and everyone is okay with that on this end.  The player is content with his/her ability to get compensated on a long term payment plan from the casino and also quite sure that they won't get caught.

 

[arandomdude]

6 hours ago, cocopop3011 said:

Hi and welcome to the forum. You know, we have had a similar topic to this in the past and I'm not sure we ever knew the final outcome. 

I think it would depend on how many times this person has exploited the bug. I of course agree to it being reported, but in regards to compensation, I suppose that will depend on how the casino sees the person telling them about it, and how much they have already earned from the bug?

Thanks for the response.  The player has exploited this bug 2 times, with 1 other failed attempt.  The fail happened in between the 2 successful attempts and the player is confident that they know what triggered the failed attempt.  

After looking back over the data that I have, it appears that I have overstated the total $$ involved in the 2 successful attempts.  Originally I said $10k.  It's actually closer to $6-7k.  

 

[Blackjax]

14 minutes ago, arandomdude said:

Thanks for the response.  The player has exploited this bug 2 times, with 1 other failed attempt.  The fail happened in between the 2 successful attempts and the player is confident that they know what triggered the failed attempt.  

After looking back over the data that I have, it appears that I have overstated the total $$ involved in the 2 successful attempts.  Originally I said $10k.  It's actually closer to $6-7k.  

 

Casinos do an audit on a daily to weekly basis. If someone was to take advantage of a bug they would have found out about it. There are special companies who handle payments. Casinos are not foodtrucks.