Deeds?

[Dragoy]

It really isn't a good idea to reveal the specifics about an exploit even after it's been fixed.

Security by obscurity? Yeah that works good.

I disagree, at least to some extent, and I'm more talking about things like "a text issue was fixed (English version only)" where the specifics are rather important for the reporter(s).

Even for this one they very well could have said something like "an issue caused more than intended Deeds to be obtained". With what they did say, I had to go see if mine were cleared OK still and all, though if that wouldn't be the case, I imagine they would have mentioned it... or would they!?

In any case, certainly not the best place to discuss this, so I'll leave any more specifics out. :]

[Alhanelem]

Security by obscurity? Yeah that works good.

It's already been fixed- that's not security by obscurity- but if you tell people how to do something you already fixed it will encourage people to try to break future things- It also simply does not matter in the first place. What value is there in knowing how to do something that can't be done anymore otherwise?

[Dragoy]

It's already been fixed- that's not security by obscurity- but if you tell people how to do something you already fixed it will encourage people to try to break future things- It also simply does not matter in the first place. What value is there in knowing how to do something that can't be done anymore otherwise?

As a tester, I think it is good to try to break things, in a good sense. That is, reporting it's broken, and helping us do just that, helps everyone, I think?

There is value in knowing that some thing was fixed so that I can try to break it again to verify that it is fixed, or as is in so many cases here, guess what they fixed and test everthing I reported that might be related.

In this particular case, I guess I would not even be able to test it since it seems to have required some non-vanilla things, but again, not focusing on exploits or anything, but just in general it would be nice if they would communicate towards us on these things especially since the in-house QA seems to be... well... you know.

[Alhanelem]

As a tester, I think it is good to try to break things, in a good sense. That is, reporting it's broken, and helping us do just that, helps everyone, I think?

I have worked in game dev QA and I do understand this side of things. That said, the reason they still avoid doing this is because while sure- you definitely want to know if things are broken so you can fix them- Not everyone who finds an exploit is going to report it responsibly (i.e. without disseminating said exploit to the entire internet). Which is different from say, remote code execution or some other security exploit because it is far more likely to be able to damage the game or its community than a zero day that most of the general public probably doesn't have the knowledge to execute even if they know the problem exists. It's not security by obscurity because you're still going to fix the problem to provide actual security, rather than simply rely on people not knowing over actually fixing something.

I suppose the threat of bans is probably enough to keep most people from sharing exploits with the wrong people, but I would still be vague if I posted this kind of thing in patch notes. FFXIV does do this a little better- They'll be like "fixed an issue which could cause problematic thing to happen under certain conditions" without specifying the exact conditions.

I was reminded of this thread just recently in another game. See this thread on Blizzard's Warcraft III forums:
https://us.forums.blizzard.com/en/wa...map-hack/37996

Maybe I"m crazy but... I don't think this was the right way to report a possible exploit, at least in the context of an online competitive multiplayer experience, because it increases the potential for harm before the exploit can be fixed (assuming it's real and needs fixing)

The difference between this and the security world (mostly the PHYSICAL security world) is where many security makers would rather just ignore problems and hope people don't find out about them rather than go to the expense of fixing their own product flaws (true security by obscurity), whereas it is in Square Enix's best interest (usually...) to fix exploits to avoid losing customers.