[bilekas]

> Game developers continue to amaze me at their lack of security awareness.

Because game developers are SUPPOSED to be aware of these things?

> It's very hard for security researchers to report bugs to most game dev companies. On top of that, most do not have bug bounty programs

Yet the OP blames the GAME developers…

They already have harder jobs than the majority of us, picking on them for not knowing skills outside of their area is just being mean and OP is targeting frustration at the wrong group.

[shalzuth]

You’re right - I should have specified more explicitly. I am not referring to the game dev that is developing game features or content - I am specifically talking about the “security engineering” organizations within game developer companies. NetEase hired security engineers to specifically do security related tasks (see NetEase AntiCheat @ https://dun.163.com/locale/en?force=true). NetEase Games doesn’t have an excuse for not conducting a security review on a massive game like Marvel Rivals - and this isn’t some corner case, this is part of the core architecture.

And this is not a story unique to NetEase. I have multiple other examples that I’ll probably talk about in the future.

[boricj]

>> Game developers continue to amaze me at their lack of security awareness.

> Because game developers are SUPPOSED to be aware of these things?

If a civil engineer amazed people with their lack of structural integrity awareness, they wouldn't be trusted to build a house of cards let alone a bridge open to the general public. Software developers write defective, bug-ridden and unsafe public-facing devices and services that are open to the entire world and we shrug whenever there's a major cybersecurity or software crash catastrophe.

If software engineers were held to the same standards of accountability and liability as real engineers when they apply their signature at the bottom of a design calculations document, maybe we'd stop shoveling trivially wormable garbage onto the Internet without a second thought.

[munchler]

YES. Did you read the part where the game devs use RCE with admin privileges to run patches? Any developer who does that should be aware of the security risks they’re taking.

[bilekas]

Any developer yes, but I personally put game developers into a different category, they’re making games and trying to find shortcuts to meet strange management requirements. They don’t know the security side.. I’m admitting there should be some guard before code review is approved from a real security engineer

> Any developer who does that should be aware of the security risks they’re taking.

Developer yeah, someone who’s focused on recreating the game probably not

[munchler]

Trying to meet strange management requirements is normal for just about any professional developer. I don’t understand why you think game developers deserve a special exemption.

[kevingadd]

If you sell software to millions of people that runs with access to sensitive data you have an obligation to do a good job, sorry. If you don't like that, make it MIT licensed on an open source site instead of $70 on Steam.

[bilekas]

The developers don’t have that obligation, the publishers do though.. They are the last in the chain here.. Those gaming agencies have a lot of beuracracy filtered in gaming senses.

I’ll say this, every single game dev I’ve ever met, has no clue how to navigate bureaucracy. I’m not saying it’s a type, but it’s not random, they have other things to worry about.